CloudFormation Stack Notification

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFormation console at https://console.aws.amazon.com/cloudformation.

03 Click on the name (link) of the CloudFormation stack that you want to examine.

04 Select the Stack info tab to access the configuration information available for the selected stack.

05 In the Notification options section, check the notification options defined to determine where the notifications about the stack actions will be sent. If there are no notification options defined, the selected Amazon CloudFormation stack is not configured to send notifications when important stack events occur.

06 Repeat step no. 3 – 5 for each Amazon CloudFormation stack available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

01 Run list-stacks command (OSX/Linux/UNIX) to list the name of each active Amazon CloudFormation stack available in the selected AWS region:

aws cloudformation list-stacks
  --region us-east-1
  --stack-status-filter CREATE_COMPLETE
  --output table
  --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack name(s):

-----------------------------
|         ListStacks        |
+---------------------------+
| cc-production-web-stack   |
| cc-demo-application-stack |
| cc-project5-test-stack    |
+---------------------------+

03 Run describe-stacks command (OSX/Linux/UNIX) using the name of the Amazon CloudFormation stack that you want to examine as the identifier parameter and custom query filters to describe the ARN of the Amazon SNS topic, configured to send stack event notifications, associated with the selected stack:

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name cc-production-web-stack
  --query 'Stacks[*].NotificationARNs[]'

04 The command output should return the ARN of the associated SNS topic:

[]

05 Repeat steps no. 3 and 4 for each Amazon CloudFormation stack available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Enable CloudFormation Stack Notifications",
	"Resources":{
		"WebAppStack" : {
			"Type" : "AWS::CloudFormation::Stack",
			"Properties" : {
				"TemplateURL" : "https://s3-external-1.amazonaws.com/cloudformation-templates-us-east-1/cc-prod-vpc-network.template",
				"Parameters" : {
					"VPCCidr" : "10.0.0.0/16"
				},
				"NotificationARNs" : ["arn:aws:sns:us-east-1:12345678901:cc-stack-alert-topic"]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable CloudFormation Stack Notifications
	Resources:
		WebAppStack:
		Type: AWS::CloudFormation::Stack
		Properties:
			TemplateURL: https://s3-external-1.amazonaws.com/cloudformation-templates-us-east-1/cc-prod-vpc-network.template
			Parameters:
			VPCCidr: 10.0.0.0/16
			NotificationARNs:
			- arn:aws:sns:us-east-1:12345678901:cc-stack-alert-topic

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_cloudformation_stack" "prod-vpc-network" {

	name = "cc-prod-vpc-network"
	parameters = {
		VPCCidr = "10.0.0.0/16"
	}

	# Enable CloudFormation Stack Notifications
	notification_arns = ["arn:aws:sns:us-east-1:12345678901:cc-stack-alert-topic"]

	template_body = <<STACK
	{
		"Parameters" : {
			"VPCCidr" : {
				"Type" : "String",
				"Default" : "10.0.0.0/16",
				"Description" : "Provide the CIDR block for the production VPC network."
			}
		},
		"Resources" : {
			"ProdVPC": {
				"Type" : "AWS::EC2::VPC",
				"Properties" : {
					"CidrBlock" : { "Ref" : "VPCCidr" },
					"Tags" : [
						{"Key": "Name", "Value": "PROD_VPC"}
					]
				}
			}
		}
	}
	STACK

}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFormation console at http://console.aws.amazon.com/cloudformation/.

03 Select the Amazon CloudFormation stack that you want to reconfigure.

04 Choose Update from the console top menu and perform the following operations:

1. For Step 1 Specify template, choose Use current template from the Prepare template section to use the same stack template. Choose Next to continue the update process.
2. For Step 2 Specify stack details, you change any input parameters defined within your stack template. Choose Next to continue.
3. For Step 3 Configure stack options, select Notification options, and choose Create new SNS topic to create a new Amazon SNS topic and subscribe to it using an email address. In the Create new SNS topic configuration box, provide a unique name for the new SNS topic, enter the email address where you want to receive stack event notifications, then choose Create SNS topic to create the required Amazon SNS topic. Use an email client to open the subscription confirmation message from AWS Notification, and click on the appropriate link to confirm your SNS subscription. Go back to the Amazon CloudFormation console and select the ARN of the newly created SNS topic from the SNS topic ARN – optional dropdown list to associate the new SNS topic with your CloudFormation stack. Choose Next to continue.
4. For Step 4 Review, review the stack configuration changes, then choose Update stack to update the selected CloudFormation stack. Once the stack status is changed to UPDATE_COMPLETE, the association with the selected SNS topic is complete.

05 Repeat steps no. 3 and 4 to enable stack event notifications for each Amazon CloudFormation stack available within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

01 Run create-topic command (OSX/Linux/UNIX) to create a new Amazon SNS topic required to send notifications whenever CloudFormation stack events occur within your AWS account:

aws sns create-topic
  --name cc-stack-alert-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created Amazon SNS topic:

{
  "TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-stack-alert-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided):

aws sns subscribe
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-stack-alert-topic
  --protocol email
  --notification-endpoint notifyme@trendmicro.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output):

aws sns confirm-subscription
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-stack-alert-topic
  --token abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

05 Once the required SNS topic is created and configured, run update-stack command (OSX/Linux/UNIX) to update your Amazon CloudFormation stack in order to associate it with the newly created SNS topic:

aws cloudformation update-stack
  --region us-east-1
  --stack-name cc-production-web-stack
  --use-previous-template
  --notification-arns arn:aws:sns:us-east-1:123456789012:cc-stack-alert-topic

06 The command output should return the ID of the updated CloudFormation stack:

{
  "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/cc-production-web-stack/abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
}

07 Repeat steps no. 5 and 6 to enable stack event notifications for each Amazon CloudFormation stack available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.