AWS Config
Developer Guide

cloudformation-stack-drift-detection-check

Checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.

Note

If the stacks you created are not visible, choose Re-evaluate and check again.

Identifier: CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK

Trigger type: Configuration changes and periodic

Parameters:

cloudformationRoleArn

The AWS CloudFormation role ARN with IAM policy permissions to detect drift for AWS CloudFormation stacks.

Note

If the role does not have all of the permissions, the rule fails. The error appears as an annotation at the top of the page. Ensure to attach config.amazonaws.com trusted permissions and ReadOnlyAccess policy permissions. For specific policy permissions, refer to the Detecting Unmanaged Configuration Changes to Stacks and Resources in the AWS CloudFormation User Guide.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.