Open tstibbs opened 3 years ago
Drift detection also doesn't notice drift in policies for KMS keys.
E.g.
This is arguably one of the most important things to detect with drift detection.
I want to verify that all landingzone resource that should/cannot be tampered with have indeed not changed.
Name of the resource
AWS::IAM::Role
Resource Name
AWS::IAM::Role
Issue Description
If an inline policy is added to an IAM role, drift detection should pick that up as drift (because the permissions of the role have materially changed).
Expected Behavior
Drift detection should mark the resource as 'MODIFIED' and thus the stack as 'DRIFTED'.
Observed Behavior
Drift detection marks the resource and stack as 'IN_SYNC'.
Test Cases
Other Details
No response