Infrastructure as Code: CloudFormation Change Sets

In the AWS Certified Solutions Architect – Associate (SAA-C03) exam, understanding how to safely update infrastructure is just as important as knowing how to build it. AWS CloudFormation Change Sets provide a preview mechanism that allows you to see how proposed changes to a stack might impact your running resources before you execute them.

Real-World Analogy: Imagine you are renovating your house. Before the contractor swings a sledgehammer, they show you a 3D blueprint highlighting exactly which walls will be removed and which will be painted. You can approve the plan or cancel it before any permanent damage is done. A Change Set is that “3D blueprint” for your AWS infrastructure.

Core Concepts & Workflow

When you want to update a stack, you don’t have to apply the changes blindly. The Change Set process follows three distinct steps:

  1. Create: You submit a modified template or new parameter values. AWS compares these against the current state of the stack.
  2. View: You review the generated Change Set. AWS lists the resources that will be added, modified, or deleted. Crucially, it tells you if a resource will be replaced (which usually involves downtime or data loss).
  3. Execute: If the changes look correct, you execute the Change Set to update the stack. If not, you delete it and start over.

Impact Assessment: Modification vs. Replacement

The most critical piece of information in a Change Set is the Replacement column. In the SAA-C03 exam, pay close attention to this:

  • False (Modification): The resource is updated in place (e.g., changing a tag or an IAM policy).
  • True (Replacement): The resource is deleted and a new one is created (e.g., changing the name of an S3 bucket or the Engine type of an RDS instance). This often results in a new physical ID and potential service interruption.

Comparison: Change Sets vs. Other Tools

Feature CloudFormation Change Sets CloudFormation Drift Detection Stack Policies
Primary Purpose Previewing future changes before deployment. Identifying unmanaged changes made manually. Preventing accidental updates/deletions of specific resources.
Timing Pre-deployment. Post-deployment (anytime). During deployment.
Best For Avoiding accidental resource replacement. Maintaining compliance and “Source of Truth.” Protecting production databases from deletion.

Exam Tips and Gotchas

  • The “Dry Run” Keyword: If an exam question asks how to perform a “dry run” or “preview the impact” of a CloudFormation update, Change Sets is almost always the correct answer.
  • No Execution Guarantee: Creating a Change Set does not update your stack. It only generates a report. You must explicitly call the ExecuteChangeSet action.
  • Resource Limits: You can have up to 20 Change Sets per stack at any given time.
  • Nested Stacks: Change Sets can now preview changes across nested stack hierarchies, providing a holistic view of complex deployments.
  • Permissions: To use Change Sets, an IAM user needs permissions for both cloudformation:CreateChangeSet and cloudformation:ExecuteChangeSet, as well as permissions to modify the underlying resources (EC2, RDS, etc.).

Decision Matrix / If–Then Guide

If the requirement is… Then use…
Ensure an RDS instance is not replaced during a stack update. Change Sets (to verify) + Stack Policies (to prevent).
Determine why a stack is behaving differently than the template. Drift Detection.
Deploy the same template across multiple AWS Accounts/Regions. CloudFormation StackSets.
Automate the review of infrastructure changes in a CI/CD pipeline. AWS CodePipeline with a CloudFormation Change Set action.

Topics covered:

Summary of key subtopics covered in this guide:

  • Change Set Lifecycle (Create, View, Execute).
  • Resource Replacement vs. Modification.
  • Distinction between Change Sets and Drift Detection.
  • Security and IAM requirements for executing changes.
  • Operational safety and preventing downtime in production environments.

Infographic: The Change Set Workflow

New Template CREATE CHANGE SET REVIEW IMPACT EXECUTE UPDATED STACK

Service Ecosystem

IAM Control who can create vs. who can execute sets.

SNS Get notified when a Change Set is ready for review.

CloudTrail Audit who created or executed specific changes.

Performance & Safety

  • Zero Downtime: Identify “Replacement: True” to avoid unexpected outages.
  • Rollback: If execution fails, CloudFormation automatically rolls back to the previous stable state.

Cost Optimization

Change Sets are free. You only pay for the AWS resources (EC2, RDS, etc.) created once the set is executed.

Use Case: Previewing an instance type change (e.g., t3.micro to m5.large) to calculate future cost increases.

Production Use Case: A DevOps team wants to update their Auto Scaling Group Launch Template. They create a Change Set and see that the LaunchTemplate property update will trigger a rolling update of instances. They approve the Change Set during a maintenance window to ensure minimal user impact.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top