How do I resolve drift detection errors in CloudFormation with my AWS managed rule "cloudformation-stack-drift-detection-check" for AWS Config?
Last updated: 2021-04-06
I want to resolve drift detection errors in AWS CloudFormation with my AWS managed rule cloudformation-stack-drift-detection-check for AWS Config.
You can receive the following errors even if the drift status of your stack shows as IN_SYNC in the CloudFormation console:
- "AWS CloudFormation failed to detect drift, defaulting to NON_COMPLIANT. Re-evaluate the rule and try again. If the problem persists contact AWS CloudFormation support."
- "Your stack drift detection operation for the specific stack has failed. Check your existing AWS CloudFormation role permissions and add the missing permissions."
Depending upon the error that you receive, choose either of the following options:
- If you receive the NON-COMPLIANT error, complete the steps in the Update your AWS Config rules section.
- If you receive the permissions error, complete the steps in the Set the correct permissions section.
Note: The AWS managed rule cloudformation-stack-drift-detection-check checks CloudFormation stacks for drift detection using the DetectStackDrift API. This rule has both a periodic and configuration change trigger type. You get an error message if drift detection fails.
Update your AWS Config rules
You can receive a NON_COMPLIANT error message in the AWS Config console for the following reasons:
- The resources in your CloudFormation stack don't support drift detection. You receive an error as an annotation against the NON_COMPLIANT resource for your AWS Config rule. For example, you receive a "Drift detection is not supported for ResourceType" error in the AWS CloudTrail log.
- Your AWS Config rule depends on the availability of DetectStackDrift. You receive a throttling or "Rate Exceeded" error because AWS Config defaults the rule to NON_COMPLIANT when throttling occurs.
To resolve the error resulting from no drift detection support:
Ignore the CloudFormation stack in NON_COMPLIANT status. The error is a false positive in this scenario. For more information, see Evaluating Your Resources.
To resolve the error resulting from the availability of DetectStackDrift:
1. Evaluate your AWS Config rule again.
Note: For example, you can attach config.amazonaws.com trusted permissions and ReadOnlyAccess(AWS Managed) policy permissions for the role's Amazon Resource Name (ARN), which is provided in the rule required parameter cloudformationRoleArn. For more information, see Considerations when detecting drift.
2. Perform drift detection on your CloudFormation stacks.
3. Run the evaluation through your AWS Config rule.
Set the correct permissions
You receive a permissions error when the AWS Identity and Access Management (IAM) role for the required cloudformationRoleArn parameter doesn't have the DetectStackDrift API, DetectStackResourceDrift API, or other required service permissions.