AWS CloudFormation Deletion Policy in Use

Risk Level: Medium (should be achieved)

Ensure that a deletion policy, implemented with the DeletionPolicy attribute, is used for your Amazon CloudFormation stacks in order preserve or backup AWS resources when the stacks are deleted. For example, you can retain an Amazon S3 bucket or take a snapshot of an EBS volume so that you can continue to utilize or modify these resource after you delete their stack.

AWS CloudFormation DeletionPolicy attribute has 3 options:

1. Retain - CloudFormation keeps the AWS resource without deleting it or its contents when the stack is deleted and this option can be applied to any resource type. When CloudFormation service completes the stack deletion, the stack state will be "DELETE_COMPLETE" but the resources that are retained will continue to exist within your AWS account and continue to collect charges until you terminate or delete those resources.

2. Snapshot - when this option is used, CloudFormation creates snapshots of the AWS resources that support snapshots before deleting them. Just like the Retain option, the snapshots created with this option will continue to incur AWS charges until you delete them. The Snapshot option can be applied to the following AWS resources:

EBS volumes
RDS instances
RDS database clusters
Redshift clusters
ElastiCache cache clusters
ElastiCache Redis replication groups

3. Delete - CloudFormation deletes the specified AWS resource and all its content if applicable during stack deletion. DeletionPolicy attribute set to Delete can be applied to any AWS resource type.

Security

Operational
excellence

By default, if the DeletionPolicy attribute is not specified for resources within the stack, AWS CloudFormation deletes those resources. With DeletionPolicy set to Retain or Snapshot, you have the guarantee that your AWS resources are not terminated or deleted and make sure that your data remains intact after stack removal.

Note: As example, this conformity rule demonstrates how to use Retain option for an AWS CloudFormation stack deletion policy to retain an S3 bucket configured for website access after the stack is deleted. To use other two deletion policy options, just replace Retain with Snapshot or Delete within the DeletionPolicy attribute value. The Snapshot option can be used only for AWS resources that support snapshots such as RDS database instances and EBS volumes, while the Delete option can be applied to any resource type.

Audit

To determine if your Amazon CloudFormation stacks are using deletion policies, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Select the CloudFormation stack that you want to examine.

04 Select the Template tab from the dashboard bottom panel to view the stack template.

05 On the Template panel, search the entire template for the DeletionPolicy attribute, i.e. "DeletionPolicy" : "Retain" for JSON-based templates and DeletionPolicy: Retain for YAML templates. If there is no DeletionPolicy attribute defined within the JSON/YAML template document, the selected Amazon CloudFormation stack does not have a deletion policy implemented.

06 Repeat steps no. 3 – 5 to verify the templates used for other AWS CloudFormation stacks, available within the current region, for deletion policies.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks available in the selected AWS region:

aws cloudformation list-stacks
  --region us-east-1
  --output table
  --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack names:

-----------------------
|     ListStacks      |
+---------------------+
|  cloudconformity    |
|  cc-production-app  |
|  cc-project5-stack  |
+---------------------+

03 Run get-template command (OSX/Linux/UNIX) using the name of the AWS CloudFormation stack that you want to examine as identifier to list the entire template body for the selected stack:

aws cloudformation get-template
  --region us-east-1
  --stack-name cloudconformity
  --query 'TemplateBody'

04 The command output should return the requested CloudFormation template document:

{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "Amazon CloudFormation template that creates a publicly accessible AWS S3 bucket configured for website access.",
  "Resources" : {
    "S3Bucket" : {
      "Type" : "AWS::S3::Bucket",
      "Properties" : {
        "AccessControl" : "PublicRead",
        "WebsiteConfiguration" : {
          "IndexDocument" : "index.html",
          "ErrorDocument" : "error.html"
         }
      }
    }
  },
  "Outputs" : {
    "WebsiteURL" : {
      "Value" : { "Fn::GetAtt" : [ "S3Bucket", "WebsiteURL" ] },
      "Description" : "URL for website hosted on Amazon S3."
    },
    "S3BucketSecureURL" : {
      "Value" : { "Fn::Join" : [ "", [ "https://", { "Fn::GetAtt" : [ "S3Bucket", "DomainName" ] } ] ] },
      "Description" : "Name of the S3 bucket that holds the website content."
    }
  }
}

Search the entire stack template returned by the get-template command output for the DeletionPolicy attribute, i.e. "DeletionPolicy" : "Retain" for JSON-based templates, as shown in the example above, and DeletionPolicy: Retain for YAML templates. If there is no DeletionPolicy attribute defined within the JSON/YAML template document returned, the selected AWS CloudFormation stack does not have a deletion policy in use.

05 Repeat step no. 3 and 4 to check the templates of other Amazon CloudFormation stacks, available within the selected region, for deletion policies.

06 Perform steps no. 1 – 5 to repeat the entire audit process for the other AWS regions.

Remediation / Resolution

To implement a CloudFormation deletion policy that enables you to retain an AWS resource in the event of a stack deletion, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Modify the template used for the CloudFormation stack that contains the AWS resource(s) that you want to preserve (in this case an Amazon S3 bucket), by adding the "DeletionPolicy" : "Retain" attribute to the element block of the AWS resource that you want to retain, as shown in the template example below:

{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "Amazon CloudFormation template that creates a publicly accessible AWS S3 bucket configured for website access.",
  "Resources" : {
    "S3Bucket" : {
      "Type" : "AWS::S3::Bucket",
      "Properties" : {
        "AccessControl" : "PublicRead",
        "WebsiteConfiguration" : {
          "IndexDocument" : "index.html",
          "ErrorDocument" : "error.html"
         }
      },
      "DeletionPolicy" : "Retain"
    }
  },
  "Outputs" : {
    "WebsiteURL" : {
      "Value" : { "Fn::GetAtt" : [ "S3Bucket", "WebsiteURL" ] },
      "Description" : "URL for website hosted on Amazon S3."
    },
    "S3BucketSecureURL" : {
      "Value" : { "Fn::Join" : [ "", [ "https://", { "Fn::GetAtt" : [ "S3Bucket", "DomainName" ] } ] ] },
      "Description" : "Name of the S3 bucket that holds the website content."
    }
  }
}

04 Select the CloudFormation stack that you want to update (see Audit section part I to identify the right stack).

05 Click the Actions dropdown button from the dashboard top menu and select Update Stack to start the update process.

06 On the Select Template page, inside the Choose a template section, choose Upload a template to Amazon S3 option and use the Browse button to select the CloudFormation template edited at step no. 3 in order to upload it to AWS S3.

07 Click the Next button, without changing any stack configuration parameters, until you reach the Review page.

08 On the Review page, check the entire configuration for your CloudFormation stack before updating it.

09 Click Update to update the selected CloudFormation stack. Once the stack has been successfully updated, its status should change from UPDATE_IN_PROGRESS to UPDATE_COMPLETE.

10 If required, repeat steps no. 3 – 9 to implement a retain deletion policy for other Amazon CloudFormation stacks available in the selected region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Edit the template used for the CloudFormation stack which contains the AWS resource(s) that you want to retain (i.e. an S3 bucket), by adding the "DeletionPolicy" : "Retain" attribute to the element block of the AWS resource that you want to preserve, as shown in the example below, and upload the template document to AWS S3:

{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "Amazon CloudFormation template that creates a publicly accessible AWS S3 bucket configured for website access.",
  "Resources" : {
    "S3Bucket" : {
      "Type" : "AWS::S3::Bucket",
      "Properties" : {
        "AccessControl" : "PublicRead",
        "WebsiteConfiguration" : {
          "IndexDocument" : "index.html",
          "ErrorDocument" : "error.html"
         }
      },
      "DeletionPolicy" : "Retain"
    }
  },
  "Outputs" : {
    "WebsiteURL" : {
      "Value" : { "Fn::GetAtt" : [ "S3Bucket", "WebsiteURL" ] },
      "Description" : "URL for website hosted on Amazon S3."
    },
    "S3BucketSecureURL" : {
      "Value" : { "Fn::Join" : [ "", [ "https://", { "Fn::GetAtt" : [ "S3Bucket", "DomainName" ] } ] ] },
      "Description" : "Name of the S3 bucket that holds the website content."
    }
  }
}

02 Run update-stack command (OSX/Linux/UNIX) to update the required AWS CloudFormation stack (see Audit section part I to identify the appropriate stack), using the CloudFormation template modified at the previous step, to implement the necessary deletion policy. The following command example, updates a CloudFormation stack named "cloudconformity" using a JSON-based template uploaded to Amazon S3, template document that has "DeletionPolicy" attribute set to "Retain". Replace <cloudformation-template-s3-location> with the URL of your own template:

aws cloudformation update-stack
  --region us-east-1
  --stack-name cloudconformity
  --template-url <cloudformation-template-s3-location>

03 The command output should return the ID of the updated AWS CloudFormation stack:

{
  "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/cloudconformity/c08f7e20-cade-11e8-b617-500c20fb9099"
}

04 If required, repeat steps no. 1 – 3 to assign a retain deletion policy to other Amazon CloudFormation stacks available within the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
cloudformation
list-stacks
get-template
update-stack

Publication date Oct 29, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

AWS CloudFormation Deletion Policy in Use

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFormation rules