cloudformation-stack-drift-detection-check - AWS Config


Checks if the actual configuration of a AWS CloudFormation (AWS CloudFormation) stack differs, or has drifted, from the expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule is NON_COMPLIANT if the stack drift status is DRIFTED.


This rule performs the DetectStackDrift operation on each stack in your account. The DetectStackDrift operation can take up to several minutes, depending on the number of resources contained within the stack. Given that the maximum execution time of this rule is limited to 15 mins, it is possible that the rule times out before it completes the evaluation of all the stacks in your account.

If you encounter this issue, it is suggested that you to restrict the number of stacks in-scope for the rule, using tags. You can do the following:

  1. Divide your stacks into groups, each with a different tag.

  2. Apply the same tag to all the stacks in that group.

  3. Have multiple instances of this rule in your account, each scoped by a different tag. This allows each instance of the rule to only process the stacks which have the corresponding tag mentioned in its scope.


Resource Types: AWS::CloudFormation::Stack

Trigger type: Configuration changes and Periodic

AWS Region: All supported AWS regions


Type: String

The Amazon Resource Name (ARN) of the IAM role with policy permissions to detect drift for AWS CloudFormation stacks. For information on required IAM permissions for the role, see Detecting unmanaged configuration changes to stacks and resources | Considerations when detecting drift in the AWS CloudFormation User Guide.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.