search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

Drift detection can't detect inline policies added to an IAM Role. #936

Open tstibbs opened 3 years ago

tstibbs commented 3 years ago

Name of the resource

AWS::IAM::Role

Resource Name

AWS::IAM::Role

Issue Description

If an inline policy is added to an IAM role, drift detection should pick that up as drift (because the permissions of the role have materially changed).

Expected Behavior

Drift detection should mark the resource as 'MODIFIED' and thus the stack as 'DRIFTED'.

Observed Behavior

Drift detection marks the resource and stack as 'IN_SYNC'.

Test Cases

  1. Deploy a stack with the following template: 
    Resources:
  testRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
  2. Manually add an inline policy to the role in the IAM console
  3. Run drift detect
  4. Note that drift detection doesn't pick up the added policy

Other Details

No response

jacobtolar commented 2 years ago

Drift detection also doesn't notice drift in policies for KMS keys.

E.g.

  1. Deploy stack with KMS key and list of policies
  2. Manually remove one key policy from the key
  3. Run drift detection
  4. No drift is detected
Jacco commented 2 years ago

This is arguably one of the most important things to detect with drift detection.

I want to verify that all landingzone resource that should/cannot be tampered with have indeed not changed.