cloudformation-stack-drift-detection-check - Amazon Config
Amazon CloudFormation template
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

cloudformation-stack-drift-detection-check

Checks if the actual configuration of a Amazon CloudFormation (Amazon CloudFormation) stack differs, or has drifted, from the expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule is NON_COMPLIANT if the stack drift status is DRIFTED.

Note

This rule performs the DetectStackDrift operation on each stack in your account. The DetectStackDrift operation can take up to several minutes, depending on the number of resources contained within the stack. Given that the maximum execution time of this rule is limited to 15 mins, it is possible that the rule times out before it completes the evaluation of all the stacks in your account.

If you encounter this issue, it is suggested that you to restrict the number of stacks in-scope for the rule, using tags. You can do the following:

  1. Divide your stacks into groups, each with a different tag.

  2. Apply the same tag to all the stacks in that group.

  3. Have multiple instances of this rule in your account, each scoped by a different tag. This allows each instance of the rule to only process the stacks which have the corresponding tag mentioned in its scope.

Identifier: CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK

Resource Types: AWS::CloudFormation::Stack

Trigger type: Configuration changes and Periodic

Amazon Web Services Region: All supported Amazon regions except Europe (Stockholm), Europe (Paris), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

Parameters:

cloudformationRoleArn
Type: String

The Amazon Resource Name (ARN) of the IAM role with policy permissions to detect drift for Amazon CloudFormation stacks. For information on required IAM permissions for the role, see Detecting unmanaged configuration changes to stacks and resources | Considerations when detecting drift in the Amazon CloudFormation User Guide.

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.