More Info:

Amazon CloudFormation stacks should have Termination Protection feature enabled in order to protect them from being accidentally deleted.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the issue of “AWS CloudFormation Stacks Should Have Termination Protection Enabled” for AWS using the AWS console:
  1. Log in to your AWS Management Console.
  2. Navigate to the AWS CloudFormation console.
  3. In the left navigation pane, select “Stacks”.
  4. Select the stack for which you want to enable termination protection.
  5. Click on the “Actions” button and select “Enable termination protection”.
  6. A pop-up window will appear, asking you to confirm the action. Click on “Yes, Enable” to confirm.
  7. Once you have enabled termination protection, you will see a lock icon next to the stack name indicating that it is now protected from accidental deletion.
That’s it! You have successfully remediated the issue of “AWS CloudFormation Stacks Should Have Termination Protection Enabled” for the selected stack.

To remediate the misconfiguration “AWS CloudFormation Stacks Should Have Termination Protection Enabled” in AWS using AWS CLI, you can follow the below steps:
  1. Open the AWS CLI on your local machine or EC2 instance.
  2. Check the status of termination protection for all the CloudFormation stacks in the AWS account by running the following command: 
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE UPDATE_ROLLBACK_COMPLETE --query "StackSummaries[?EnableTerminationProtection=='False'].StackName" --output text
This command will list all the CloudFormation stacks in the AWS account that have termination protection disabled.
  1. Enable termination protection for each of the CloudFormation stacks listed in step 2 by running the following command:
aws cloudformation update-termination-protection --stack-name <stack-name> --enable-termination-protection
Replace <stack-name> with the name of the CloudFormation stack for which you want to enable termination protection.
  1. Repeat step 3 for each of the CloudFormation stacks listed in step 2.
  2. Verify the termination protection status for all the CloudFormation stacks in the AWS account by running the following command: 
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE UPDATE_ROLLBACK_COMPLETE --query "StackSummaries[?EnableTerminationProtection=='True'].StackName" --output text
This command will list all the CloudFormation stacks in the AWS account that have termination protection enabled.By following these steps, you can remediate the misconfiguration “AWS CloudFormation Stacks Should Have Termination Protection Enabled” in AWS using AWS CLI.
To remediate the misconfiguration of AWS CloudFormation stacks not having termination protection enabled, you can use the following steps in Python:
  1. Import the necessary AWS SDKs and modules:
import boto3
from botocore.exceptions import ClientError
  1. Create a boto3 session and CloudFormation client:
session = boto3.Session(region_name='your_aws_region')
cfn = session.client('cloudformation')
  1. Get a list of all CloudFormation stacks:
stacks = cfn.list_stacks(
    StackStatusFilter=[
        'CREATE_COMPLETE',
        'UPDATE_COMPLETE',
        'ROLLBACK_COMPLETE'
    ]
)['StackSummaries']
  1. Loop through the list of stacks and check if termination protection is enabled:
for stack in stacks:
    stack_name = stack['StackName']
    try:
        response = cfn.describe_termination_protection(
            StackName=stack_name
        )
        if not response['TerminationProtected']:
            print(f"{stack_name} does not have termination protection enabled.")
            # Enable termination protection
            cfn.update_termination_protection(
                StackName=stack_name,
                EnableTerminationProtection=True
            )
            print(f"{stack_name} now has termination protection enabled.")
    except ClientError as e:
        if e.response['Error']['Message'] == 'Stack with id {0} does not exist'.format(stack_name):
            print(f"{stack_name} does not exist.")
        else:
            print(f"Error checking termination protection for {stack_name}: {e}")
  1. Run the script and verify that termination protection is now enabled for all CloudFormation stacks.
Note: Make sure to replace “your_aws_region” with the region where your AWS resources are located.