Ensure your AWS CloudFormation stacks are using policies as a fail-safe mechanism in order to prevent accidental updates to stack resources. A CloudFormation stack policy is a JSON-based document that defines which actions can be performed on specified resources.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
With CloudFormation stack policies you can protect all or certain resources in your stacks from being unintentionally updated or deleted during the update process.
To determine if your CloudFormation stacks are using policies to protect their resources from being unintentionally updated, perform the following:Note: Verifying CloudFormation stacks for policies using AWS Management Console is not currently supported.
Remediation / Resolution
To define CloudFormation stack policies based on your requirements and apply these policies to your existing stacks, perform the following:Note: Attaching policies to existing CloudFormation stacks using AWS Management Console is not currently supported.
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
AWS CloudFormation Stack Policy
Risk level: Medium