Enable stack termination protection remediation

Using Console

Using CLI

To remediate the misconfiguration “AWS CloudFormation Stacks Should Have Termination Protection Enabled” in AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI on your local machine or EC2 instance.
Check the status of termination protection for all the CloudFormation stacks in the AWS account by running the following command:

aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE UPDATE_ROLLBACK_COMPLETE --query "StackSummaries[?EnableTerminationProtection=='False'].StackName" --output text

This command will list all the CloudFormation stacks in the AWS account that have termination protection disabled.

Enable termination protection for each of the CloudFormation stacks listed in step 2 by running the following command:

aws cloudformation update-termination-protection --stack-name <stack-name> --enable-termination-protection

Replace <stack-name> with the name of the CloudFormation stack for which you want to enable termination protection.

Repeat step 3 for each of the CloudFormation stacks listed in step 2.
Verify the termination protection status for all the CloudFormation stacks in the AWS account by running the following command:

aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE UPDATE_ROLLBACK_COMPLETE --query "StackSummaries[?EnableTerminationProtection=='True'].StackName" --output text

This command will list all the CloudFormation stacks in the AWS account that have termination protection enabled.By following these steps, you can remediate the misconfiguration “AWS CloudFormation Stacks Should Have Termination Protection Enabled” in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of AWS CloudFormation stacks not having termination protection enabled, you can use the following steps in Python:

Import the necessary AWS SDKs and modules:

import boto3
from botocore.exceptions import ClientError

Create a boto3 session and CloudFormation client:

session = boto3.Session(region_name='your_aws_region')
cfn = session.client('cloudformation')

Get a list of all CloudFormation stacks:

stacks = cfn.list_stacks(
    StackStatusFilter=[
        'CREATE_COMPLETE',
        'UPDATE_COMPLETE',
        'ROLLBACK_COMPLETE'
    ]
)['StackSummaries']

Loop through the list of stacks and check if termination protection is enabled:

for stack in stacks:
    stack_name = stack['StackName']
    try:
        response = cfn.describe_termination_protection(
            StackName=stack_name
        )
        if not response['TerminationProtected']:
            print(f"{stack_name} does not have termination protection enabled.")
            # Enable termination protection
            cfn.update_termination_protection(
                StackName=stack_name,
                EnableTerminationProtection=True
            )
            print(f"{stack_name} now has termination protection enabled.")
    except ClientError as e:
        if e.response['Error']['Message'] == 'Stack with id {0} does not exist'.format(stack_name):
            print(f"{stack_name} does not exist.")
        else:
            print(f"Error checking termination protection for {stack_name}: {e}")

Run the script and verify that termination protection is now enabled for all CloudFormation stacks.

Note: Make sure to replace “your_aws_region” with the region where your AWS resources are located.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Enable stack termination protection remediation

Triage and Remediation

Remediation