Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudFormation Stack Notification

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CFM-001

Ensure that your Amazon CloudFormation stacks are using SNS topics to send notifications when important events occur. Monitoring stack events such as create - which triggers the provisioning process based on a defined template, update – which updates the stack configuration, or delete – which terminates the stack by removing its collection of AWS cloud resources, will enable you to respond fast to any unauthorized action that could alter your stack environment.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With event notifications enabled, you can increase the visibility of your Amazon CloudFormation stack activity, beneficial for security and management purposes.


Audit

To determine if the event notifications are enabled for your Amazon CloudFormation stacks, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFormation console at https://console.aws.amazon.com/cloudformation.

03 Click on the name (link) of the CloudFormation stack that you want to examine.

04 Select the Stack info tab to access the configuration information available for the selected stack.

05 In the Notification options section, check the notification options defined to determine where the notifications about the stack actions will be sent. If there are no notification options defined, the selected Amazon CloudFormation stack is not configured to send notifications when important stack events occur.

06 Repeat step no. 3 – 5 for each Amazon CloudFormation stack available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the name of each active Amazon CloudFormation stack available in the selected AWS region:

aws cloudformation list-stacks
  --region us-east-1
  --stack-status-filter CREATE_COMPLETE
  --output table
  --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack name(s):

-----------------------------
|         ListStacks        |
+---------------------------+
| cc-production-web-stack   |
| cc-demo-application-stack |
| cc-project5-test-stack    |
+---------------------------+

03 Run describe-stacks command (OSX/Linux/UNIX) using the name of the Amazon CloudFormation stack that you want to examine as the identifier parameter and custom query filters to describe the ARN of the Amazon SNS topic, configured to send stack event notifications, associated with the selected stack:

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name cc-production-web-stack
  --query 'Stacks[*].NotificationARNs[]'

04 The command output should return the ARN of the associated SNS topic:

[]

If the describe-stacks command output returns an empty array (i.e. []), as shown in the example above, there is no SNS topic associated with the stack, therefore the selected Amazon CloudFormation stack is not configured to send notifications when important stack events occur.

05 Repeat steps no. 3 and 4 for each Amazon CloudFormation stack available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To associate your CloudFormation stacks with Amazon SNS topics in order to receive email notifications whenever stack events occur, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Enable CloudFormation Stack Notifications",
	"Resources":{
		"WebAppStack" : {
			"Type" : "AWS::CloudFormation::Stack",
			"Properties" : {
				"TemplateURL" : "https://s3-external-1.amazonaws.com/cloudformation-templates-us-east-1/cc-prod-vpc-network.template",
				"Parameters" : {
					"VPCCidr" : "10.0.0.0/16"
				},
				"NotificationARNs" : ["arn:aws:sns:us-east-1:12345678901:cc-stack-alert-topic"]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable CloudFormation Stack Notifications
	Resources:
		WebAppStack:
		Type: AWS::CloudFormation::Stack
		Properties:
			TemplateURL: https://s3-external-1.amazonaws.com/cloudformation-templates-us-east-1/cc-prod-vpc-network.template
			Parameters:
			VPCCidr: 10.0.0.0/16
			NotificationARNs:
			- arn:aws:sns:us-east-1:12345678901:cc-stack-alert-topic

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_cloudformation_stack" "prod-vpc-network" {

	name = "cc-prod-vpc-network"
	parameters = {
		VPCCidr = "10.0.0.0/16"
	}

	# Enable CloudFormation Stack Notifications
	notification_arns = ["arn:aws:sns:us-east-1:12345678901:cc-stack-alert-topic"]

	template_body = <<STACK
	{
		"Parameters" : {
			"VPCCidr" : {
				"Type" : "String",
				"Default" : "10.0.0.0/16",
				"Description" : "Provide the CIDR block for the production VPC network."
			}
		},
		"Resources" : {
			"ProdVPC": {
				"Type" : "AWS::EC2::VPC",
				"Properties" : {
					"CidrBlock" : { "Ref" : "VPCCidr" },
					"Tags" : [
						{"Key": "Name", "Value": "PROD_VPC"}
					]
				}
			}
		}
	}
	STACK

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFormation console at http://console.aws.amazon.com/cloudformation/.

03 Select the Amazon CloudFormation stack that you want to reconfigure.

04 Choose Update from the console top menu and perform the following operations:

  1. For Step 1 Specify template, choose Use current template from the Prepare template section to use the same stack template. Choose Next to continue the update process.
  2. For Step 2 Specify stack details, you change any input parameters defined within your stack template. Choose Next to continue.
  3. For Step 3 Configure stack options, select Notification options, and choose Create new SNS topic to create a new Amazon SNS topic and subscribe to it using an email address. In the Create new SNS topic configuration box, provide a unique name for the new SNS topic, enter the email address where you want to receive stack event notifications, then choose Create SNS topic to create the required Amazon SNS topic. Use an email client to open the subscription confirmation message from AWS Notification, and click on the appropriate link to confirm your SNS subscription. Go back to the Amazon CloudFormation console and select the ARN of the newly created SNS topic from the SNS topic ARN – optional dropdown list to associate the new SNS topic with your CloudFormation stack. Choose Next to continue.
  4. For Step 4 Review, review the stack configuration changes, then choose Update stack to update the selected CloudFormation stack. Once the stack status is changed to UPDATE_COMPLETE, the association with the selected SNS topic is complete.

05 Repeat steps no. 3 and 4 to enable stack event notifications for each Amazon CloudFormation stack available within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new Amazon SNS topic required to send notifications whenever CloudFormation stack events occur within your AWS account:

aws sns create-topic
  --name cc-stack-alert-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created Amazon SNS topic:

{
  "TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-stack-alert-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided):

aws sns subscribe
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-stack-alert-topic
  --protocol email
  --notification-endpoint notifyme@trendmicro.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output):

aws sns confirm-subscription
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-stack-alert-topic
  --token abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

05 Once the required SNS topic is created and configured, run update-stack command (OSX/Linux/UNIX) to update your Amazon CloudFormation stack in order to associate it with the newly created SNS topic:

aws cloudformation update-stack
  --region us-east-1
  --stack-name cc-production-web-stack
  --use-previous-template
  --notification-arns arn:aws:sns:us-east-1:123456789012:cc-stack-alert-topic

06 The command output should return the ID of the updated CloudFormation stack:

{
  "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/cc-production-web-stack/abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
}

07 Repeat steps no. 5 and 6 to enable stack event notifications for each Amazon CloudFormation stack available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 6, 2017