Name of the resource
AWS::IAM::Role
Issue Description
Drift detection does not detect that an IAM role resource is drifted, when AWS managed and Customer managed policies are applied out-of-band / outside of CloudFormation.
Expected Behavior
The values returned in the drift report should reflect the policies applied on the physical resource and show that the resource is DRIFTED, but instead it shows IN_SYNC.
Observed Behavior
There is no drift detected. There might be an issue with the drift evaluation workflow.
Test Cases
- Deploy a stack with the following template:
Resources:
testRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
- Manually add an AWS managed and / or customer managed policy onto the role in the IAM console
- Run drift detection on the stack
Name of the resource
AWS::IAM::Role
Issue Description
Drift detection does not detect that an IAM role resource is drifted, when AWS managed and Customer managed policies are applied out-of-band / outside of CloudFormation.
Expected Behavior
The values returned in the drift report should reflect the policies applied on the physical resource and show that the resource is DRIFTED, but instead it shows IN_SYNC.
Observed Behavior
There is no drift detected. There might be an issue with the drift evaluation workflow.
Test Cases