More Info:

All your AWS CloudFormation stacks should be using Simple Notification Service (AWS SNS) in order to receive notifications when an event occurs.

Risk Level

Low

Address

Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of “AWS CloudFormation Stack Should Have Notifications Enabled” in AWS using AWS console, follow the below steps:
  1. Login to the AWS Management Console.
  2. Go to the CloudFormation service.
  3. Select the stack for which you want to enable notifications.
  4. Click on the “Stack Settings” button located at the top of the page.
  5. In the “Advanced” section, click on “Edit”.
  6. Scroll down to the “Notification Options” section.
  7. Enable the “Receive stack notifications” option.
  8. Enter the email addresses of the recipients in the “Email list” field.
  9. Choose the events for which you want to receive notifications.
  10. Click on “Save” to save the changes.
Once you have completed the above steps, notifications will be enabled for the selected stack and you will receive email notifications for the selected events.

To remediate the misconfiguration “AWS CloudFormation Stack Should Have Notifications Enabled” for AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to get a list of all the CloudFormation stacks in your AWS account: 
aws cloudformation list-stacks
  1. Identify the stack that needs to be remediated.
  2. Run the following command to update the stack with notification configuration: 
aws cloudformation update-stack --stack-name <stack-name> --notification-arns <notification-arn>
Replace <stack-name> with the name of the stack that needs to be remediated and <notification-arn> with the Amazon Resource Name (ARN) of the SNS topic that will be used to receive notifications.
  1. Verify that the notification configuration has been updated by running the following command:
aws cloudformation describe-stack-events --stack-name <stack-name>
This command will display the events associated with the stack, including the notification configuration updates.
  1. Repeat steps 4 and 5 for each stack that needs to be remediated.
By following these steps, you can remediate the misconfiguration “AWS CloudFormation Stack Should Have Notifications Enabled” for AWS using AWS CLI.
To remediate the misconfiguration of AWS CloudFormation Stack not having notifications enabled, you can use the following steps in Python:
  1. Import the necessary AWS SDK modules, such as boto3 and botocore.
import boto3
from botocore.exceptions import ClientError
  1. Create an AWS CloudFormation client object using the boto3 module.
cloudformation = boto3.client('cloudformation')
  1. Retrieve the list of existing CloudFormation stacks using the describe_stacks() method.
stacks = cloudformation.describe_stacks()
  1. Iterate through the list of stacks and check if the NotificationARNs attribute is present. If not, add it using the update_stack() method.
for stack in stacks['Stacks']:
    stack_name = stack['StackName']
    if 'NotificationARNs' not in stack:
        try:
            cloudformation.update_stack(
                StackName=stack_name,
                NotificationARNs=['arn:aws:sns:us-east-1:123456789012:my-topic']
            )
            print(f"Stack {stack_name} updated with notifications.")
        except ClientError as e:
            print(f"Error updating stack {stack_name}: {e}")
    else:
        print(f"Stack {stack_name} already has notifications enabled.")
  1. Replace the arn:aws:sns:us-east-1:123456789012:my-topic value with the ARN of the SNS topic you want to use for notifications.
These steps will enable notifications for all AWS CloudFormation stacks that do not have them enabled.

Additional Reading: