Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudFormation Stack Policy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CFM-002

Ensure your AWS CloudFormation stacks are using policies as a fail-safe mechanism in order to prevent accidental updates to stack resources. A CloudFormation stack policy is a JSON-based document that defines which actions can be performed on specified resources.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With CloudFormation stack policies you can protect all or certain resources in your stacks from being unintentionally updated or deleted during the update process.

Audit

To determine if your CloudFormation stacks are using policies to protect their resources from being unintentionally updated, perform the following:

Note: Verifying CloudFormation stacks for policies using AWS Management Console is not currently supported.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks available in the selected AWS region: 

aws cloudformation list-stacks
    --region us-east-1
    --output table
    --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested CloudFormation stack names: 

--------------------
|    ListStacks    |
+------------------+
|  MyAppProdStack  |
|  MyAppTestStack  |
|  MyAppDevStack   |
+------------------+

03 Now run get-stack-policy command (OSX/Linux/UNIX) to expose the stack policy for the specified CloudFormation stack: 

aws cloudformation get-stack-policy
    --region us-east-1
    --stack-name MyAppProdStack

04 The command output should return the policy document body for the selected stack, e.g.: 

{
   "StackPolicyBody": "{
      "Statement" : [
        {
          "Effect" : "Deny",
          "Action" : "Update:*",
          "Principal": "*",
          "Resource" : "*"
        }
      ]
   }"
}

If the command is not returning an output, the selected CloudFormation stack does not have any policies attached, therefore the stack resources are not protected against accidental updates. To apply a policy to an existing stack, follow the steps outlined in the Remediation/Resolution section.

05 Repeat step no. 3 and 4 to verify if the other stacks available in the selected region have policies attached.

06 Perform steps no. 1 – 5 to repeat the audit process for the other AWS regions.

Remediation / Resolution

To define CloudFormation stack policies based on your requirements and apply these policies to your existing stacks, perform the following:

Note: Attaching policies to existing CloudFormation stacks using AWS Management Console is not currently supported.

Using AWS CLI

01Define the stack policy based on the type of resources that you want to protect against accidental updates. A stack policy is a JSON-based document that contains the stack update actions performed by all CloudFormation users and the resources that these actions apply to. Based on your needs, you can use one of the example policies defined below.

  1. To prevent updates to all stack resources, use the following policy document: 
    {
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}
  2. To prevent updates to a certain stack resource, use the following policy document. The resource used in the example below is an EC2 instance available within the stack (highlighted): 
    {
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    },
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "MyEC2Instance/ProductionAppServer"
    }
  ]
}
  3. To prevent updates to all Instances of a stack resource type, use the following policy document. The resource type used in the example below is the EC2 instance (highlighted): 
    {
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    },
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : ["AWS::EC2::Instance"]
        }
      }
    }
  ]
}
  4. To prevent updates to nested CloudFormation stacks, use the following policy document: 
    {
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    },
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : ["AWS::CloudFormation::Stack"]
        }
      }
    }
  ]
}

02 Now run create-bucket command (OSX/Linux/UNIX) to create the S3 bucket that will store your stack policies. The S3 bucket must be created in the same AWS region as the CloudFormation stack: 

aws s3api create-bucket
    --bucket cfn-policies
    --region us-east-1

03 The command output should return the new S3 bucket location: 

{
    "Location": "/cfn-policies"
}

04 Paste one of the policy documents outlined at step no. 1 in a JSON file (e.g., cfn-custom-policy.json) based on your requirements, then run put-object command (OSX/Linux/UNIX) to upload the file to the newly created S3 bucket: 

aws s3api put-object
    --bucket cfn-policies
    --key cfn-custom-policy.json
    --body cfn-custom-policy.json

05 The command output should return the entity tag (ETag) for the uploaded JSON file: 

{
    "ETag": "\"1a9339b338972f4de8d2550180da7d31\""
}

06 Run set-stack-policy command (OSX/Linux/UNIX) to attach the stack policy created at step no. 4 to the selected CloudFormation stack (if successful, the command does not return an output): 

aws cloudformation set-stack-policy
    --region us-east-1
    --stack-name MyAppProdStack
    --stack-policy-url https://s3.amazonaws.com/cfn-policies/cfn-custom-policy.json

07 Once attached, you cannot detach a stack policy. If you need to update your stack and remove the protection from all resources, you can modify the policy to explicitly allow all actions on all resources and repeat steps no. 4 – 6 to apply the new policy. The following policy allows all updates on all resources available in the stack: 

{
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

08 Repeat step no. 4 – 6 to apply stack policies to other CloudFormation stacks available in the selected region.

09 Change the AWS region to repeat the process for the other regions.

References

Publication date Feb 6, 2017

Related CloudFormation rules