Logo of Trend Micro

Enable AWS CloudFormation Stack Notifications

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: CFM-001

Ensure all your AWS CloudFormation stacks are using Simple Notification Service (AWS SNS) in order to receive notifications when an event occurs. Monitoring stack events such as create - which triggers the provisioning process based on a defined CloudFormation template, update – which updates the stack configuration or delete – which terminates the stack by removing its collection of AWS resources, will enable you to respond fast to any unauthorized action that could alter your AWS environment.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

With SNS integration you can increase the visibility of your AWS CloudFormation stack activity, beneficial for security and management purposes.

Audit

To determine if your CloudFormation stacks are associated with AWS SNS topics for receiving notifications, perform the following:

Note: Verifying CloudFormation stack integration with the SNS service using AWS Management Console is not currently supported.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks available in the selected AWS region: 

aws cloudformation list-stacks
	--region us-east-1
	--output table
	--query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested CloudFormation stack names: 

--------------------
|    ListStacks    |
+------------------+
|  MyWebProdStack  |
|  MyWebTestStack  |
|  MyWebDevStack   |
+------------------+

03 Now run describe-stacks command (OSX/Linux/UNIX) to get the full description for the specified CloudFormation stack: 

aws cloudformation describe-stacks
	--region us-east-1
	--stack-name MyWebProdStack

04 The command output should return the selected stack description metadata:

{
    "Stacks": [
        {
            "StackId": "arn:aws:cloudformation:us-east-1:123456789012:
                        stack/MyWebProdStack/f1f44d-65e3-503f23fb55fe",
            "Description": "AWS CloudFormation Production Template",
            "Parameters": [
                {
                    "ParameterValue": "sshprod",
                    "ParameterKey": "KeyName"
                },
                {
                    "ParameterValue": "c3.xlarge",
                    "ParameterKey": "InstanceType"
                }
            ],
            "Outputs": [
                {
                    "Description": "EC2 InstanceId",
                    "OutputKey": "InstanceId",
                    "OutputValue": "i-35a1ee594c8ff55c4"
                },
                {
                    "Description": "EC2 PublicIP",
                    "OutputKey": "PublicIP",
                    "OutputValue": "59.152.75.18"
                }
            ],
            "CreationTime": "2014-08-19T08:07:17.362Z",
            "StackName": "MyWebProdStack",
            "NotificationARNs": [],
            "StackStatus": "UPDATE_COMPLETE",
            "LastUpdatedTime": "2016-01-14T10:28:20.801Z"
        }
    ]
}

If the NotificationARNs parameter (highlighted) has an empty array as its value (as shown in the output example above), the selected CloudFormation stack is not associated with an SNS topic. To associate the selected stack with an SNS topic and get notifications about the necessary events, follow the Remediation/Resolution section.

05 Repeat step no. 3 and 4 to verify the SNS integration of the other stacks available in the selected region.

06 Perform steps no. 1 – 5 to repeat the audit process for the other AWS regions.

Remediation / Resolution

To integrate your active CloudFormation stack with an SNS topic in order to receive email notifications whenever a stack event occurs, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFormation dashboard at http://console.aws.amazon.com/cloudformation/.

03 Use the Filter dropdown menu to list all the active stacks available in the current AWS region.

04 Select a CloudFormation stack that you want to examine.

05 Click the Action dropdown menu from the dashboard top menu and select Update Stack:

Click the Action dropdown menu from the dashboard top menu and select Update Stack

to access the stack configuration page.

06 Click the Next button until you reach the Options page.

07 In the Advanced section, under Notification options, perform one of the following actions:

    cloudformation-new-sns-topic
  1. Select New Amazon SNS topic: Select New Amazon SNS topic to create a new SNS topic and subscribe to it using your email address. In the Topic box enter a name for the new SNS topic and in the Email box enter the email address where you want to receive notifications, as soon as changes are made to the selected stack.
  2. Select Existing Amazon SNS topic and choose a pre-existing SNS topic from the dropdown list: Select Existing Amazon SNS topic and choose a pre-existing SNS topic from the dropdown list.
  3. Select Existing topic ARN and type the Amazon Resource Name (ARN) of an existing SNS topic, e.g. arn:aws:sns:us-east-1:123456789012:MyCFSNSTopic.

08 Click Next and review the new configuration for the selected stack.

09 Click Update to apply the changes. Once the stack status is changed to UPDATE_COMPLETE, the integration with the selected SNS topic is complete.

10 If you chose to create a new SNS topic (step no. 8 a.), use your email client application and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription.

11 Repeat steps no. 4 – 10 to integrate AWS SNS with other CloudFormation stacks available in the selected region.

12 Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

To associate a Simple Notification Service (SNS) topic with the selected CloudFormation stack you need to get first the SNS topic ARN. If you need to create a new SNS topic follow the next step. To use an existing topic, just go to step no. 2.'

01 Create a new SNS topic for integration with the selected CloudFormation stack:

  1. Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications: 
    aws sns create-topic
	--region us-east-1
	--name MyCFSNSTopic
  2. The command output should return the new SNS topic ARN:
    {
    "TopicArn": "arn:aws:sns:us-east-1:123456789012:MyCFSNSTopic"
}
  3. Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification-endpoint (i.e. your email address):
    aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:MyCFSNSTopic
	--protocol email
	--notification-endpoint user@domain.com
  4. Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint selected (the command does not return an output):
    aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:MyCFSNSTopic
	--token 2035092f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da718e14

02 Run list-topics command (OSX/Linux/UNIX) to list the ARN of each SNS topic available in the selected AWS region:

aws sns list-topics
	--region us-east-1

03The command output should return the requested ARN(s):

{
    "Topics": [
        {
            "TopicArn": "arn:aws:sns:us-east-1:123456789012:CFNotifyMe"
        },
        {
            "TopicArn": "arn:aws:sns:us-east-1:123456789012:MySNSTopic"
        }

    ]
}

04Run update-stack command (OSX/Linux/UNIX) to update the selected CloudFormation stack and associate it with the specified SNS topic by using the topic ARN as identifier:

aws cloudformation update-stack
	--stack-name MyWebProdStack
	--use-previous-template
	--notification-arns "arn:aws:sns:us-east-1:123456789012:CFNotifyMe"

05The command output should return the ID of the updated stack:

{
    "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
                MyWebProdStack/f1f44d40-65e3-11e6-a140-503f23fb55fe"
}

06 Repeat step no. 4 and 5 to integrate AWS SNS with other CloudFormation stacks available in the selected region.

07 Change the AWS region to repeat the process for the other regions.

References

Publication date Feb 6, 2017

Related CloudFormation rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable AWS CloudFormation Stack Notifications

Risk level: Medium