More Info:

A deletion policy, implemented with the DeletionPolicy attribute, should be used for your Amazon CloudFormation stacks in order preserve or backup AWS resources when the stacks are deleted.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

The CloudFormation deletion policy should be in use to ensure that resources created by CloudFormation are not accidentally deleted.To remediate this misconfiguration in AWS using the AWS console, follow the below steps:
  1. Go to the AWS CloudFormation console.
  2. Select the stack for which you want to enable deletion protection.
  3. Click on the “Stack actions” button and select “Update stack”.
  4. In the “Specify stack details” page, scroll down to the “Advanced” section.
  5. In the “Deletion policy” section, select the “Retain” option for resources that you want to protect from deletion.
  6. Click on the “Next” button.
  7. In the “Review” page, review the changes and click on the “Update stack” button to apply the changes.
Once the deletion policy is enabled, the resources specified in the policy will not be deleted even if the CloudFormation stack is deleted.

To remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” for AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine or EC2 instance.
  2. Run the following command to list all the CloudFormation stacks in your account: 
    aws cloudformation list-stacks
  3. Identify the stack that has the misconfiguration and note down its name.
  4. Run the following command to update the stack with a deletion policy: 
    aws cloudformation update-stack --stack-name <stack-name> --deletion-policy Retain
    Note: Replace <stack-name> with the actual name of the stack that needs to be updated.
  5. Wait for the stack update to complete. You can check the status of the stack update using the following command: 
    aws cloudformation describe-stacks --stack-name <stack-name> --query "Stacks[].StackStatus"
    Note: Replace <stack-name> with the actual name of the stack that needs to be updated.
  6. Verify that the deletion policy has been set correctly by running the following command: 
    aws cloudformation describe-stack-resource --stack-name <stack-name> --logical-resource-id <logical-resource-id>
    Note: Replace <stack-name> with the actual name of the stack that needs to be updated and <logical-resource-id> with the ID of the resource that needs to be retained.
  7. Repeat steps 4-6 for any other stacks that have the misconfiguration.
By following these steps, you can remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” for AWS using AWS CLI.
To remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” in AWS using Python, follow these steps:
  1. Install the AWS SDK for Python (Boto3) using pip:
pip install boto3
  1. Create a Boto3 client for CloudFormation:
import boto3

client = boto3.client('cloudformation')
  1. Retrieve the list of CloudFormation stacks:
response = client.list_stacks(
    StackStatusFilter=[
        'CREATE_COMPLETE',
        'UPDATE_COMPLETE',
        'ROLLBACK_COMPLETE'
    ]
)

stack_names = [stack['StackName'] for stack in response['StackSummaries']]
  1. For each stack, retrieve its resources and check if a DeletionPolicy is defined:
for stack_name in stack_names:
    response = client.describe_stack_resources(StackName=stack_name)
    
    for resource in response['StackResources']:
        if 'DeletionPolicy' not in resource:
            print(f"Resource {resource['LogicalResourceId']} in stack {stack_name} does not have a DeletionPolicy defined.")
  1. If a resource is found without a DeletionPolicy, add one using the update_stack method:
client.update_stack(
    StackName=stack_name,
    UsePreviousTemplate=True,
    Capabilities=[
        'CAPABILITY_NAMED_IAM'
    ],
    ResourceTypes=[
        'AWS::*'
    ],
    StackPolicyBody='{"Statement": [{"Effect": "Allow", "Action": "Update:*", "Principal": "*", "Resource": "*"}]}',
    DeletionPolicy='Retain'
)
In the above example, the DeletionPolicy is set to ‘Retain’, which means that the resource will not be deleted when the CloudFormation stack is deleted. You can choose a different DeletionPolicy based on your requirements.
  1. Run the script periodically to ensure that all CloudFormation stacks have a DeletionPolicy defined for their resources.

Additional Reading: