Ensure that your Amazon CloudFormation stacks are using SNS topics to send notifications when important events occur. Monitoring stack events such as create - which triggers the provisioning process based on a defined template, update – which updates the stack configuration, or delete – which terminates the stack by removing its collection of AWS cloud resources, will enable you to respond fast to any unauthorized action that could alter your stack environment.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
With event notifications enabled, you can increase the visibility of your Amazon CloudFormation stack activity, beneficial for security and management purposes.
Audit
To determine if the event notifications are enabled for your Amazon CloudFormation stacks, perform the following actions:
Remediation / Resolution
To associate your CloudFormation stacks with Amazon SNS topics in order to receive email notifications whenever stack events occur, perform the following actions:
References
- AWS Documentation
- How does AWS CloudFormation work?
- Amazon Simple Notification Service-backed custom resources
- AWS::CloudFormation::Stack
- AWS Command Line Interface (CLI) Documentation
- cloudformation
- list-stacks
- describe-stacks
- update-stack
- sns
- create-topic
- subscribe
- confirm-subscription
- CloudFormation Documentation
- Amazon EC2 Auto Scaling resource type reference
- Terraform Documentation
- AWS Provider