AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudFormation Stacks Should Not Have A Failed Status
More Info:
None of your Amazon CloudFormation stacks should be in Failed mode for more than 6 hours. Any failed CloudFormation stacks that are not fixed on time can lead to application downtime, security issues or unexpected costs on your AWS bill.
Risk Level
Informational
Address
Operational Maturity
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate a CloudFormation stack with a failed status in AWS using the AWS console, follow these steps:
- Open the AWS Management Console and navigate to the CloudFormation service.
- Select the CloudFormation stack with a failed status that you want to remediate.
- Click on the “Events” tab to view the events associated with the stack.
- Review the events to identify the root cause of the failure. The event details will provide information on the resource that failed and the reason for the failure.
- Once you have identified the root cause of the failure, take the appropriate action to remediate the issue. This may involve updating the CloudFormation template, modifying the resource configuration, or resolving any dependencies or permissions issues.
- After making the necessary changes, update the CloudFormation stack by clicking on the “Update Stack” button.
- Follow the prompts to upload the updated template and apply the changes to the stack.
- Monitor the stack events to ensure that the update is successful and the stack status changes to “CREATE_COMPLETE” or “UPDATE_COMPLETE”.
By following these steps, you can remediate a CloudFormation stack with a failed status in AWS using the AWS console.
To remediate the CloudFormation Stack failed status in AWS using AWS CLI, follow these steps:
- Identify the CloudFormation Stack that has a failed status by running the following command in the AWS CLI:
aws cloudformation describe-stacks --stack-name <stack-name>
Replace <stack-name> with the name of the CloudFormation Stack that has a failed status.
- Check the events associated with the failed stack by running the following command:
aws cloudformation describe-stack-events --stack-name <stack-name>
This will provide information on the events that led to the failed status of the stack.
-
Fix any issues that caused the stack to fail. This may involve updating the CloudFormation template or fixing any resource dependencies.
-
Once the issues are fixed, update the stack by running the following command:
aws cloudformation update-stack --stack-name <stack-name> --template-body file://<path-to-template-file> --parameters file://<path-to-parameters-file>
Replace <stack-name> with the name of the CloudFormation Stack that has a failed status, <path-to-template-file> with the path to the updated CloudFormation template file, and <path-to-parameters-file> with the path to the updated parameters file.
- Wait for the stack to update and check its status by running the following command:
aws cloudformation describe-stacks --stack-name <stack-name>
If the stack status is CREATE_COMPLETE or UPDATE_COMPLETE, then the remediation is successful. If not, repeat steps 2 to 4 until the stack status is successful.
To remediate the “CloudFormation Stacks Should Not Have A Failed Status” misconfiguration in AWS using Python, you can follow the below steps:
- First, you need to identify the CloudFormation stack(s) that have a failed status. You can use the
boto3library in Python to get the list of CloudFormation stacks and their status.
import boto3
# Create a CloudFormation client
cf_client = boto3.client('cloudformation')
# Get the list of stacks
stacks = cf_client.list_stacks(StackStatusFilter=['CREATE_FAILED', 'ROLLBACK_COMPLETE'])
# Print the stack names and their status
for stack in stacks['StackSummaries']:
print(stack['StackName'], stack['StackStatus'])
- Once you have identified the failed stacks, you can delete them using the
delete_stackmethod of the CloudFormation client.
# Delete the failed stacks
for stack in stacks['StackSummaries']:
cf_client.delete_stack(StackName=stack['StackName'])
- You can also update the CloudFormation template and re-create the stack(s) to remediate the misconfiguration.
# Update the CloudFormation template
with open('template.yaml', 'r') as file:
template_body = file.read()
# Update the stack(s)
for stack in stacks['StackSummaries']:
cf_client.update_stack(StackName=stack['StackName'], TemplateBody=template_body)
Note: Make sure to test the CloudFormation template before updating the stack(s) to avoid any further misconfigurations.