Ensure all your AWS CloudFormation stacks are using Simple Notification Service (AWS SNS) in order to receive notifications when an event occurs. Monitoring stack events such as create - which triggers the provisioning process based on a defined CloudFormation template, update – which updates the stack configuration or delete – which terminates the stack by removing its collection of AWS resources, will enable you to respond fast to any unauthorized action that could alter your AWS environment.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
With SNS integration you can increase the visibility of your AWS CloudFormation stack activity, beneficial for security and management purposes.
Audit
To determine if your CloudFormation stacks are associated with AWS SNS topics for receiving notifications, perform the following:
Note: Verifying CloudFormation stack integration with the SNS service using AWS Management Console is not currently supported.Remediation / Resolution
To integrate your active CloudFormation stack with an SNS topic in order to receive email notifications whenever a stack event occurs, perform the following:
References
- AWS Documentation
- How Does AWS CloudFormation Work?
- Amazon Simple Notification Service-backed Custom Resources
- AWS::CloudFormation::Stack
- AWS Command Line Interface (CLI) Documentation
- cloudformation
- list-stacks
- describe-stacks
- update-stack
- sns
- create-topic
- list-topics
- subscribe
- confirm-subscription
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Enable AWS CloudFormation Stack Notifications
Risk level: Medium