Deletion policy in use remediation

Using Console

Using CLI

To remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” for AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine or EC2 instance.
Run the following command to list all the CloudFormation stacks in your account:
```
aws cloudformation list-stacks
```
Identify the stack that has the misconfiguration and note down its name.
Run the following command to update the stack with a deletion policy:
```
aws cloudformation update-stack --stack-name <stack-name> --deletion-policy Retain
```
Note: Replace <stack-name> with the actual name of the stack that needs to be updated.
Wait for the stack update to complete. You can check the status of the stack update using the following command:
```
aws cloudformation describe-stacks --stack-name <stack-name> --query "Stacks[].StackStatus"
```
Note: Replace <stack-name> with the actual name of the stack that needs to be updated.
Verify that the deletion policy has been set correctly by running the following command:
```
aws cloudformation describe-stack-resource --stack-name <stack-name> --logical-resource-id <logical-resource-id>
```
Note: Replace <stack-name> with the actual name of the stack that needs to be updated and <logical-resource-id> with the ID of the resource that needs to be retained.
Repeat steps 4-6 for any other stacks that have the misconfiguration.

By following these steps, you can remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration “CloudFormation Deletion Policy Should Be in Use” in AWS using Python, follow these steps:

Install the AWS SDK for Python (Boto3) using pip:

pip install boto3

Create a Boto3 client for CloudFormation:

import boto3

client = boto3.client('cloudformation')

Retrieve the list of CloudFormation stacks:

response = client.list_stacks(
    StackStatusFilter=[
        'CREATE_COMPLETE',
        'UPDATE_COMPLETE',
        'ROLLBACK_COMPLETE'
    ]
)

stack_names = [stack['StackName'] for stack in response['StackSummaries']]

For each stack, retrieve its resources and check if a DeletionPolicy is defined:

for stack_name in stack_names:
    response = client.describe_stack_resources(StackName=stack_name)
    
    for resource in response['StackResources']:
        if 'DeletionPolicy' not in resource:
            print(f"Resource {resource['LogicalResourceId']} in stack {stack_name} does not have a DeletionPolicy defined.")

If a resource is found without a DeletionPolicy, add one using the update_stack method:

client.update_stack(
    StackName=stack_name,
    UsePreviousTemplate=True,
    Capabilities=[
        'CAPABILITY_NAMED_IAM'
    ],
    ResourceTypes=[
        'AWS::*'
    ],
    StackPolicyBody='{"Statement": [{"Effect": "Allow", "Action": "Update:*", "Principal": "*", "Resource": "*"}]}',
    DeletionPolicy='Retain'
)

In the above example, the DeletionPolicy is set to ‘Retain’, which means that the resource will not be deleted when the CloudFormation stack is deleted. You can choose a different DeletionPolicy based on your requirements.

Run the script periodically to ensure that all CloudFormation stacks have a DeletionPolicy defined for their resources.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Deletion policy in use remediation

Triage and Remediation

Remediation