A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after). The package includes: Note: You might have to increase the limit for Drift Detection runtimes if your account contains a large number of CloudFormation stacks, contact AWS support to request limit increases.
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
ConfigRule:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "cloudformation-stack-drift-detection-check"
Scope:
ComplianceResourceTypes:
- "AWS::CloudFormation::Stack"
Description: "A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configurati..."
InputParameters:
cloudformationRoleArn:
Fn::GetAtt:
- "IamRole"
- "Arn"
Source:
Owner: "AWS"
SourceIdentifier: "CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK"
MaximumExecutionFrequency: "TwentyFour_Hours"
IamRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "CfnDriftDetectionRole"
Description: "IAM role for CloudFormation Drift Detection"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "config.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/ReadOnlyAccess"
Policies:
- PolicyName: "AllowAccessToDriftDetection"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "cloudformation:DetectStackResourceDrift"
- "cloudformation:DescribeStackDriftDetectionStatus"
- "cloudformation:DetectStackDrift"
Resource: "*"
Parameters: {}
Metadata: {}
Conditions: {}