More Info:

Your AWS CloudFormation stacks should be using policies as a fail-safe mechanism in order to prevent accidental updates to stack resources.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using the AWS console, you can follow the below steps:
  1. Login to the AWS Management Console.
  2. Go to the CloudFormation service.
  3. Click on the Stack for which you want to remediate the misconfiguration.
  4. Click on the “Permissions” tab.
  5. Scroll down to the “Stack Policy” section.
  6. Click on the “Edit” button.
  7. Add the following statement to the policy:
{
    "Effect": "Deny",
    "Action": "Update:Delete",
    "Principal": "*",
    "Resource": "*",
    "Condition": {
        "Null": {
            "aws:ResourceTag/aws:cloudformation:stack-name": "true"
        }
    }
}
This statement will deny any update that deletes a resource in the stack, unless the resource has a tag with the key “aws:cloudformation:stack-name” set to a non-null value.
  1. Click on the “Save” button to save the updated Stack Policy.
By adding this statement to the Stack Policy, you have implemented a fail-safe mechanism that prevents accidental deletion of resources in the stack.

To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using AWS CLI, follow the below steps:
  1. Open the AWS CLI on your local machine or AWS CLI shell.
  2. Run the following command to create a stack policy with a fail-safe mechanism: 
aws cloudformation set-stack-policy --stack-name <stack-name> --stack-policy-body file://<path-to-policy-file>
Note: Replace <stack-name> with the name of the stack that you want to apply the policy to and <path-to-policy-file> with the path to the policy file on your local machine.
  1. Verify that the stack policy has been set successfully by running the following command:
aws cloudformation get-stack-policy --stack-name <stack-name>
Note: Replace <stack-name> with the name of the stack that you applied the policy to.
  1. If the output of the above command shows the policy that you set, then the remediation is successful.
By following the above steps, you can remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using AWS CLI.
To remediate the misconfiguration “CloudFormation Stack Policy Should Use A Fail-Safe Mechanism” in AWS using Python, you can follow the below steps:
  1. Install the AWS SDK for Python (Boto3) using the following command:
pip install boto3
  1. Use the following Python code to remediate the misconfiguration:
import boto3

# Create a CloudFormation client
client = boto3.client('cloudformation')

# Get the stack policy for the specified stack
stack_policy = client.get_stack_policy(StackName='STACK_NAME')['StackPolicyBody']

# Check if the stack policy has a fail-safe mechanism
if 'Statement' in stack_policy:
    for statement in stack_policy['Statement']:
        if 'Effect' in statement and statement['Effect'] == 'Deny' and 'Action' in statement and statement['Action'] == '*':
            # If a deny statement with action "*" is found, remove it
            stack_policy['Statement'].remove(statement)

# Update the stack policy with the new policy
client.set_stack_policy(StackName='STACK_NAME', StackPolicyBody=stack_policy)
Replace STACK_NAME with the name of the stack for which you want to remediate the misconfiguration.This code will retrieve the stack policy for the specified stack, check if it contains a fail-safe mechanism (a deny statement with action ”*”), and remove it if found. Finally, it will update the stack policy with the new policy that includes the fail-safe mechanism.

Additional Reading: