According to AWS CloudFormation documentation for DynamoDB table, we can use either KMS key ID or alias in the template when we want to encrypt the table with AWS KMS. The problem is that if you use KMS alias, CloudFormation detect a drift because it compares the KMS alias from the template with the KMS ID returned by the background call used by CloudFormation to get the table info.
Expected Behavior
No drift detection if we use an KMS alias in the CloudFormation template.
Observed Behavior
Drift detected if we use an KMS alias in the CloudFormation template.
Test Cases
Create a DynamoDB table encrypted using KMS alias. Run a "detect drift" operation.
Name of the resource
AWS::DynamoDB::Table
Resource Name
No response
Issue Description
According to AWS CloudFormation documentation for DynamoDB table, we can use either KMS key ID or alias in the template when we want to encrypt the table with AWS KMS. The problem is that if you use KMS alias, CloudFormation detect a drift because it compares the KMS alias from the template with the KMS ID returned by the background call used by CloudFormation to get the table info.
Expected Behavior
No drift detection if we use an KMS alias in the CloudFormation template.
Observed Behavior
Drift detected if we use an KMS alias in the CloudFormation template.
Test Cases
Create a DynamoDB table encrypted using KMS alias. Run a "detect drift" operation.
Other Details
No response