Best practice rules for AWS CloudFormation
AWS CloudFormation gives you the ability to easily manage a collection of AWS resources by automating the creation and termination of your infrastructure, services, and applications.
CloudFormation is broken down into two parts, templates and stacks. A template is file that defines what resources are required to run your application. For example, the template may dictate that your application requires 3 Elastic Cloud Compute (EC2) servers and a specific Identify and Access Management (IAM) Policy. Once the template is uploaded, CloudFormation automatically launches the required resources and builds a running instance (stack) that matches the template.
- AWS CloudFormation Deletion Policy in Use
Ensure a deletion policy is used for your Amazon CloudFormation stacks.
- AWS CloudFormation Drift Detection
Ensure that Amazon CloudFormation stacks have not been drifted.
- CloudFormation In Use
Ensure CloudFormation service is in use for defining your cloud architectures on Amazon Web Services
- CloudFormation Stack Failed Status
Ensure AWS CloudFormation stacks aren't in 'Failed' mode for more than 6 hours.
- CloudFormation Stack Notification
Ensure CloudFormation stacks are integrated with SNS to receive notifications about stack events.
- CloudFormation Stack Policy
Ensure CloudFormation stack policies are set to prevent accidental updates to stack resources.
- CloudFormation Stack Termination Protection
Ensure Termination Protection feature is enabled for your AWS CloudFormation stacks.
- CloudFormation Stack With IAM Role
Ensure that IAM role associated with CloudFormation stacks adheres to the principle of least privilege in order avoid unwanted privilege escalation.