AWS Cloudformation and manual changes

I can't seem to find any documentation about what happens when you manually mess with Cloudformation's objects.
I see it tags its objects, but does it recover if, say, someone deletes a routing rule?

EDIT: Just got two contradicting answers. I'd like to request some documentation / evidence, since I have to decide what directions I'm giving my colleagues about modifying these resources.

Solution 1:

CloudFormation only creates or modifies AWS resources during deployment, update, or deletion of a stack. It does not continually 'check and enforce' individual stack resources' configuration states - drift can definitely occur.

As an example, if I deploy a CF Stack and then later manually modify an Inbound Rule on one of its Security Groups, this modification will persist until I run an explicit CF Update or redeploy the stack.

Here are some helpful snippets / links:

Q: Can I manage individual AWS resources that are part of an AWS CloudFormation stack?

Yes. AWS CloudFormation does not get in the way; you retain full control of all elements of your infrastructure. You can continue using all your existing AWS and third-party tools to manage your AWS resources.

AWS CloudFormation Stacks Updates: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html

Prevent Updates to Stack Resources: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

Please note the last link is only referring to protecting resources during a CloudFormation Update action, not ad-hoc changes made via the Management Console or API to individual resources.

Solution 2:

If you mess with resources that Cloudformation deploys, the resources wont be recovered/restored/put into compliance, if you really need to enforce integrity you will need to redeploy the stack.