AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS CloudFormation Stacks Should Have Termination Protection Enabled
More Info:
Amazon CloudFormation stacks should have Termination Protection feature enabled in order to protect them from being accidentally deleted.
Risk Level
Low
Address
Reliability, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the issue of “AWS CloudFormation Stacks Should Have Termination Protection Enabled” for AWS using the AWS console:
- Log in to your AWS Management Console.
- Navigate to the AWS CloudFormation console.
- In the left navigation pane, select “Stacks”.
- Select the stack for which you want to enable termination protection.
- Click on the “Actions” button and select “Enable termination protection”.
- A pop-up window will appear, asking you to confirm the action. Click on “Yes, Enable” to confirm.
- Once you have enabled termination protection, you will see a lock icon next to the stack name indicating that it is now protected from accidental deletion.
That’s it! You have successfully remediated the issue of “AWS CloudFormation Stacks Should Have Termination Protection Enabled” for the selected stack.
To remediate the misconfiguration “AWS CloudFormation Stacks Should Have Termination Protection Enabled” in AWS using AWS CLI, you can follow the below steps:
-
Open the AWS CLI on your local machine or EC2 instance.
-
Check the status of termination protection for all the CloudFormation stacks in the AWS account by running the following command:
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE UPDATE_ROLLBACK_COMPLETE --query "StackSummaries[?EnableTerminationProtection=='False'].StackName" --output text
This command will list all the CloudFormation stacks in the AWS account that have termination protection disabled.
- Enable termination protection for each of the CloudFormation stacks listed in step 2 by running the following command:
aws cloudformation update-termination-protection --stack-name <stack-name> --enable-termination-protection
Replace <stack-name> with the name of the CloudFormation stack for which you want to enable termination protection.
-
Repeat step 3 for each of the CloudFormation stacks listed in step 2.
-
Verify the termination protection status for all the CloudFormation stacks in the AWS account by running the following command:
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE UPDATE_ROLLBACK_COMPLETE --query "StackSummaries[?EnableTerminationProtection=='True'].StackName" --output text
This command will list all the CloudFormation stacks in the AWS account that have termination protection enabled.
By following these steps, you can remediate the misconfiguration “AWS CloudFormation Stacks Should Have Termination Protection Enabled” in AWS using AWS CLI.
To remediate the misconfiguration of AWS CloudFormation stacks not having termination protection enabled, you can use the following steps in Python:
- Import the necessary AWS SDKs and modules:
import boto3
from botocore.exceptions import ClientError
- Create a boto3 session and CloudFormation client:
session = boto3.Session(region_name='your_aws_region')
cfn = session.client('cloudformation')
- Get a list of all CloudFormation stacks:
stacks = cfn.list_stacks(
StackStatusFilter=[
'CREATE_COMPLETE',
'UPDATE_COMPLETE',
'ROLLBACK_COMPLETE'
]
)['StackSummaries']
- Loop through the list of stacks and check if termination protection is enabled:
for stack in stacks:
stack_name = stack['StackName']
try:
response = cfn.describe_termination_protection(
StackName=stack_name
)
if not response['TerminationProtected']:
print(f"{stack_name} does not have termination protection enabled.")
# Enable termination protection
cfn.update_termination_protection(
StackName=stack_name,
EnableTerminationProtection=True
)
print(f"{stack_name} now has termination protection enabled.")
except ClientError as e:
if e.response['Error']['Message'] == 'Stack with id {0} does not exist'.format(stack_name):
print(f"{stack_name} does not exist.")
else:
print(f"Error checking termination protection for {stack_name}: {e}")
- Run the script and verify that termination protection is now enabled for all CloudFormation stacks.
Note: Make sure to replace “your_aws_region” with the region where your AWS resources are located.