DriftFence AWS example
Repo-history example

AWS configure-aws-credentials: one role-chaining output change the repo's own checks missed.

In a measured replay of three real commits from aws-actions/configure-aws-credentials, the same selected checks passed in standard CI every time. DriftFence stayed quiet through two commits, then flagged one cross-account role-chaining output change.

With approved AWS identity-output behavior fixed in Git, DriftFence would have started flagging the moment the action began reporting the assumed account instead of the source account.

See the first flagged change Back to results summary
First divergence

Cross-account role chaining started reporting the assumed account.

The first two commits in this window stayed conforming. On the third commit, the action started reporting the assumed account after role chaining instead of the source account, while the same selected checks still passed in standard CI.

Blocked case

role-chaining switched the final account output.

In the approved baseline, the final reported account stayed on the source identity after cross-account role chaining. After the fix landed, the reported account switched to the assumed identity instead.

DriftFence report
Scenario
configure-aws-credentials.aws.identity.role-chaining-account-output
Expected
output.accountIdOutput = 111111111111
Observed
output.accountIdOutput = 222222222222
Classification
violating

The OIDC account-output and direct IAM-user account-output controls did not trigger DriftFence on the same three-commit slice. The flagged change stayed on one AWS identity-output surface.

Across the replay window

Two quiet commits, then one clear role-chaining onset.

This replay is stronger than a recurring-all-red window because the onset comes after two quiet commits on the same selected test surface and keeps two matched quiet controls.

Quiet commits first

Two unrelated changes stayed conforming

  • 6e3375d removed release-automation wiring.
  • a7a2c11 updated the action to Node 24.
  • Neither commit changed the protected identity-output behavior.
Then the onset

One fix changed the reported account

  • 7ceaf96 corrected role-chaining outputs.
  • The reported account switched from source to assumed identity.
  • DriftFence flagged that change while the same checks stayed green.
Nearby controls

Two comparison cases stayed quiet

  • OIDC account output stayed conforming across the whole slice.
  • Direct IAM-user account output stayed conforming too.
  • Both controls stayed quiet on the same selected test surface.
Method

How it was measured.

This replay fixes one AWS identity-output baseline, reruns the same selected tests on each commit, and counts the role-chaining onset once because only one commit in the window drifted.

  • Replay size: 3 commits
  • Fixed workflows: role-chaining, OIDC account output, and IAM-user account output
  • The same selected checks reran on every commit in the window
  • DriftFence reran on every commit with the same approved baseline
  • Longitudinal follow-up found 1 onset and 2 matched quiet controls
Source material

Method and source files.

The links below show the benchmark notes and pinned replay plan for this AWS action example.

Measurement notes

The benchmark results log records the completed AWS window, including the replay size, outcome mix, and first flagged change.

Fixed test plan

The replay definition fixes the three AWS identity-output workflows and the exact January 2026 replay window used here.

Related pages

See the product, results, pricing, and trust pages alongside this AWS example.