AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudFormation Stack Policy Should Use A Fail-Safe Mechanism
More Info:
Your AWS CloudFormation stacks should be using policies as a fail-safe mechanism in order to prevent accidental updates to stack resources.
Risk Level
Low
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using the AWS console, you can follow the below steps:
- Login to the AWS Management Console.
- Go to the CloudFormation service.
- Click on the Stack for which you want to remediate the misconfiguration.
- Click on the “Permissions” tab.
- Scroll down to the “Stack Policy” section.
- Click on the “Edit” button.
- Add the following statement to the policy:
{
"Effect": "Deny",
"Action": "Update:Delete",
"Principal": "*",
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/aws:cloudformation:stack-name": "true"
}
}
}
This statement will deny any update that deletes a resource in the stack, unless the resource has a tag with the key “aws:cloudformation:stack-name” set to a non-null value.
- Click on the “Save” button to save the updated Stack Policy.
By adding this statement to the Stack Policy, you have implemented a fail-safe mechanism that prevents accidental deletion of resources in the stack.
To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using AWS CLI, follow the below steps:
-
Open the AWS CLI on your local machine or AWS CLI shell.
-
Run the following command to create a stack policy with a fail-safe mechanism:
aws cloudformation set-stack-policy --stack-name <stack-name> --stack-policy-body file://<path-to-policy-file>
Note: Replace <stack-name> with the name of the stack that you want to apply the policy to and <path-to-policy-file> with the path to the policy file on your local machine.
- Verify that the stack policy has been set successfully by running the following command:
aws cloudformation get-stack-policy --stack-name <stack-name>
Note: Replace <stack-name> with the name of the stack that you applied the policy to.
- If the output of the above command shows the policy that you set, then the remediation is successful.
By following the above steps, you can remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using AWS CLI.
To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using Python, you can follow the below steps:
- Install the AWS SDK for Python (Boto3) using the following command:
pip install boto3
- Use the following Python code to remediate the misconfiguration:
import boto3
# Create a CloudFormation client
client = boto3.client('cloudformation')
# Get the stack policy for the specified stack
stack_policy = client.get_stack_policy(StackName='STACK_NAME')['StackPolicyBody']
# Check if the stack policy has a fail-safe mechanism
if 'Statement' in stack_policy:
for statement in stack_policy['Statement']:
if 'Effect' in statement and statement['Effect'] == 'Deny' and 'Action' in statement and statement['Action'] == '*':
# If a deny statement with action "*" is found, remove it
stack_policy['Statement'].remove(statement)
# Update the stack policy with the new policy
client.set_stack_policy(StackName='STACK_NAME', StackPolicyBody=stack_policy)
Replace STACK_NAME with the name of the stack for which you want to remediate the misconfiguration.
This code will retrieve the stack policy for the specified stack, check if it contains a fail-safe mechanism (a deny statement with action ”*”), and remove it if found. Finally, it will update the stack policy with the new policy that includes the fail-safe mechanism.