cloudformation-stack-drift-detection-check
Checks if the actual configuration of a Amazon CloudFormation (Amazon CloudFormation) stack differs, or has drifted, from the expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule is NON_COMPLIANT if the stack drift status is DRIFTED.
Note
This rule performs the DetectStackDrift operation on each stack in your account. The DetectStackDrift operation can take up to several minutes, depending on the number of resources contained within the stack. Given that the maximum execution time of this rule is limited to 15 mins, it is possible that the rule times out before it completes the evaluation of all the stacks in your account.
If you encounter this issue, it is suggested that you to restrict the number of stacks in-scope for the rule, using tags. You can do the following:
Divide your stacks into groups, each with a different tag.
Apply the same tag to all the stacks in that group.
Have multiple instances of this rule in your account, each scoped by a different tag. This allows each instance of the rule to only process the stacks which have the corresponding tag mentioned in its scope.
Identifier: CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK
Resource Types: AWS::CloudFormation::Stack
Trigger type: Configuration changes and Periodic
Amazon Web Services Region: All supported Amazon regions except US ISO West (Northern California), Europe (Stockholm), Europe (Paris), Asia Pacific (Jakarta), US ISO East, Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), US ISOB East (Ohio), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region
Parameters:
- cloudformationRoleArn
- Type: String
-
The Amazon Resource Name (ARN) of the IAM role with policy permissions to detect drift for Amazon CloudFormation stacks. For information on required IAM permissions for the role, see Detecting unmanaged configuration changes to stacks and resources | Considerations when detecting drift in the Amazon CloudFormation User Guide.
Amazon CloudFormation template
To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.