How do I resolve drift detection errors in CloudFormation with my AWS managed rule "cloudformation-stack-drift-detection-check" for AWS Config?

Last updated: 2021-04-06

I want to resolve drift detection errors in AWS CloudFormation with my AWS managed rule cloudformation-stack-drift-detection-check for AWS Config.

Short description

You can receive the following errors even if the drift status of your stack shows as IN_SYNC in the CloudFormation console:

  • "AWS CloudFormation failed to detect drift, defaulting to NON_COMPLIANT. Re-evaluate the rule and try again. If the problem persists contact AWS CloudFormation support."
  • "Your stack drift detection operation for the specific stack has failed. Check your existing AWS CloudFormation role permissions and add the missing permissions."

Depending upon the error that you receive, choose either of the following options:

  • If you receive the NON-COMPLIANT error, complete the steps in the Update your AWS Config rules section.
  • If you receive the permissions error, complete the steps in the Set the correct permissions section.

Note: The AWS managed rule cloudformation-stack-drift-detection-check checks CloudFormation stacks for drift detection using the DetectStackDrift API. This rule has both a periodic and configuration change trigger type. You get an error message if drift detection fails.

Resolution

Update your AWS Config rules

You can receive a NON_COMPLIANT error message in the AWS Config console for the following reasons:

  • The resources in your CloudFormation stack don't support drift detection. You receive an error as an annotation against the NON_COMPLIANT resource for your AWS Config rule. For example, you receive a "Drift detection is not supported for ResourceType" error in the AWS CloudTrail log.
  • Your AWS Config rule depends on the availability of DetectStackDrift. You receive a throttling or "Rate Exceeded" error because AWS Config defaults the rule to NON_COMPLIANT when throttling occurs.

To resolve the error resulting from no drift detection support:

Ignore the CloudFormation stack in NON_COMPLIANT status. The error is a false positive in this scenario. For more information, see Evaluating Your Resources.

-or-

Create a custom AWS Config rule that includes a provision to exclude your stacks from evaluations. For AWS Config rule examples, see AWS Config Rules Repository and RDKlib.

To resolve the error resulting from the availability of DetectStackDrift:

1.    Evaluate your AWS Config rule again.

Note: For example, you can attach config.amazonaws.com trusted permissions and ReadOnlyAccess(AWS Managed) policy permissions for the role's Amazon Resource Name (ARN), which is provided in the rule required parameter cloudformationRoleArn. For more information, see Considerations when detecting drift.

2.    Perform drift detection on your CloudFormation stacks.

3.    Run the evaluation through your AWS Config rule.

Set the correct permissions

You receive a permissions error when the AWS Identity and Access Management (IAM) role for the required cloudformationRoleArn parameter doesn't have the DetectStackDrift API, DetectStackResourceDrift API, or other required service permissions.

To resolve this error, edit the trust policy for your IAM role. You must attach config.amazonaws.com and ReadOnlyAccess(AWS Managed) permissions for cloudformationRoleArn.


Did this article help?


Do you need billing or technical support?