diff --git a/packages/aws-cdk/test/integ/cli/app/app.js b/packages/aws-cdk/test/integ/cli/app/app.js
index 33e2802ad2ac7..396d13b248aaa 100644
--- a/packages/aws-cdk/test/integ/cli/app/app.js
+++ b/packages/aws-cdk/test/integ/cli/app/app.js
@@ -107,7 +107,7 @@ class IamStack extends cdk.Stack {
     super(parent, id, props);
 
     new iam.Role(this, 'SomeRole', {
-      assumedBy: new iam.ServicePrincipal('ec2.amazon.aws.com')
+      assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
     });
   }
 }
diff --git a/packages/aws-cdk/test/integ/cli/cdk-helpers.ts b/packages/aws-cdk/test/integ/cli/cdk-helpers.ts
index 9256a56d7dc00..d43e7bfe23000 100644
--- a/packages/aws-cdk/test/integ/cli/cdk-helpers.ts
+++ b/packages/aws-cdk/test/integ/cli/cdk-helpers.ts
@@ -39,6 +39,7 @@ export interface ShellOptions extends child_process.SpawnOptions {
 
 export interface CdkCliOptions extends ShellOptions {
   options?: string[];
+  neverRequireApproval?: boolean;
 }
 
 export function log(x: string) {
@@ -48,8 +49,10 @@ export function log(x: string) {
 export async function cdkDeploy(stackNames: string | string[], options: CdkCliOptions = {}) {
   stackNames = typeof stackNames === 'string' ? [stackNames] : stackNames;
 
+  const neverRequireApproval = options.neverRequireApproval ?? true;
+
   return await cdk(['deploy',
-    '--require-approval=never', // We never want a prompt in an unattended test
+    ...(neverRequireApproval ? ['--require-approval=never'] : []), // Default to no approval in an unattended test
     ...(options.options ?? []),
     ...fullStackName(stackNames)], options);
 }
diff --git a/packages/aws-cdk/test/integ/cli/cli.integtest.ts b/packages/aws-cdk/test/integ/cli/cli.integtest.ts
index 731f901d90a0d..b63a694e0487a 100644
--- a/packages/aws-cdk/test/integ/cli/cli.integtest.ts
+++ b/packages/aws-cdk/test/integ/cli/cli.integtest.ts
@@ -160,9 +160,16 @@ test('security related changes without a CLI are expected to fail', async () =>
   // redirect /dev/null to stdin, which means there will not be tty attached
   // since this stack includes security-related changes, the deployment should
   // immediately fail because we can't confirm the changes
-  await expect(cdkDeploy('iam-test', {
+  const stackName = 'iam-test';
+  await expect(cdkDeploy(stackName, {
     options: ['<', '/dev/null'], // H4x, this only works because I happen to know we pass shell: true.
+    neverRequireApproval: false,
   })).rejects.toThrow('exited with error');
+
+  // Ensure stack was not deployed
+  await expect(cloudFormation('describeStacks', {
+    StackName: fullStackName(stackName),
+  })).rejects.toThrow('does not exist');
 });
 
 test('deploy wildcard with outputs', async () => {