More Info:
Your AWS CloudFormation stacks should be using policies as a fail-safe mechanism in order to prevent accidental updates to stack resources.Risk Level
LowAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using the AWS console, you can follow the below steps:This statement will deny any update that deletes a resource in the stack, unless the resource has a tag with the key “aws:cloudformation:stack-name” set to a non-null value.
- Login to the AWS Management Console.
- Go to the CloudFormation service.
- Click on the Stack for which you want to remediate the misconfiguration.
- Click on the “Permissions” tab.
- Scroll down to the “Stack Policy” section.
- Click on the “Edit” button.
- Add the following statement to the policy:
- Click on the “Save” button to save the updated Stack Policy.
Using CLI
Using CLI
To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using AWS CLI, follow the below steps:Note: Replace Note: Replace
- Open the AWS CLI on your local machine or AWS CLI shell.
- Run the following command to create a stack policy with a fail-safe mechanism:
<stack-name>
with the name of the stack that you want to apply the policy to and <path-to-policy-file>
with the path to the policy file on your local machine.- Verify that the stack policy has been set successfully by running the following command:
<stack-name>
with the name of the stack that you applied the policy to.- If the output of the above command shows the policy that you set, then the remediation is successful.
Using Python
Using Python
To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using Python, you can follow the below steps:Replace
- Install the AWS SDK for Python (Boto3) using the following command:
- Use the following Python code to remediate the misconfiguration:
STACK_NAME
with the name of the stack for which you want to remediate the misconfiguration.This code will retrieve the stack policy for the specified stack, check if it contains a fail-safe mechanism (a deny statement with action ”*”), and remove it if found. Finally, it will update the stack policy with the new policy that includes the fail-safe mechanism.