AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudFormation Deletion Policy Should Be in Use
More Info:
A deletion policy, implemented with the DeletionPolicy attribute, should be used for your Amazon CloudFormation stacks in order preserve or backup AWS resources when the stacks are deleted.
Risk Level
Low
Address
Security, Operational Maturity
Compliance Standards
CBP
Triage and Remediation
Remediation
The CloudFormation deletion policy should be in use to ensure that resources created by CloudFormation are not accidentally deleted.
To remediate this misconfiguration in AWS using the AWS console, follow the below steps:
- Go to the AWS CloudFormation console.
- Select the stack for which you want to enable deletion protection.
- Click on the “Stack actions” button and select “Update stack”.
- In the “Specify stack details” page, scroll down to the “Advanced” section.
- In the “Deletion policy” section, select the “Retain” option for resources that you want to protect from deletion.
- Click on the “Next” button.
- In the “Review” page, review the changes and click on the “Update stack” button to apply the changes.
Once the deletion policy is enabled, the resources specified in the policy will not be deleted even if the CloudFormation stack is deleted.
To remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” for AWS using AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine or EC2 instance.
-
Run the following command to list all the CloudFormation stacks in your account:
aws cloudformation list-stacks -
Identify the stack that has the misconfiguration and note down its name.
-
Run the following command to update the stack with a deletion policy:
aws cloudformation update-stack --stack-name <stack-name> --deletion-policy RetainNote: Replace
<stack-name>with the actual name of the stack that needs to be updated. -
Wait for the stack update to complete. You can check the status of the stack update using the following command:
aws cloudformation describe-stacks --stack-name <stack-name> --query "Stacks[].StackStatus"Note: Replace
<stack-name>with the actual name of the stack that needs to be updated. -
Verify that the deletion policy has been set correctly by running the following command:
aws cloudformation describe-stack-resource --stack-name <stack-name> --logical-resource-id <logical-resource-id>Note: Replace
<stack-name>with the actual name of the stack that needs to be updated and<logical-resource-id>with the ID of the resource that needs to be retained. -
Repeat steps 4-6 for any other stacks that have the misconfiguration.
By following these steps, you can remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” for AWS using AWS CLI.
To remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” in AWS using Python, follow these steps:
- Install the AWS SDK for Python (Boto3) using pip:
pip install boto3
- Create a Boto3 client for CloudFormation:
import boto3
client = boto3.client('cloudformation')
- Retrieve the list of CloudFormation stacks:
response = client.list_stacks(
StackStatusFilter=[
'CREATE_COMPLETE',
'UPDATE_COMPLETE',
'ROLLBACK_COMPLETE'
]
)
stack_names = [stack['StackName'] for stack in response['StackSummaries']]
- For each stack, retrieve its resources and check if a DeletionPolicy is defined:
for stack_name in stack_names:
response = client.describe_stack_resources(StackName=stack_name)
for resource in response['StackResources']:
if 'DeletionPolicy' not in resource:
print(f"Resource {resource['LogicalResourceId']} in stack {stack_name} does not have a DeletionPolicy defined.")
- If a resource is found without a DeletionPolicy, add one using the
update_stackmethod:
client.update_stack(
StackName=stack_name,
UsePreviousTemplate=True,
Capabilities=[
'CAPABILITY_NAMED_IAM'
],
ResourceTypes=[
'AWS::*'
],
StackPolicyBody='{"Statement": [{"Effect": "Allow", "Action": "Update:*", "Principal": "*", "Resource": "*"}]}',
DeletionPolicy='Retain'
)
In the above example, the DeletionPolicy is set to ‘Retain’, which means that the resource will not be deleted when the CloudFormation stack is deleted. You can choose a different DeletionPolicy based on your requirements.
- Run the script periodically to ensure that all CloudFormation stacks have a DeletionPolicy defined for their resources.