Ensure that Amazon CloudFormation stacks have Termination Protection feature enabled in order to protect them from being accidentally deleted. The safety feature can be enabled when you create the CloudFormation stack or for existing stacks using the AWS API (UpdateTerminationProtection command). Once enabled, if you attempt to delete an AWS CloudFormation stack with the feature enabled, the deletion fails and the stack (including its current status), will remain unchanged. For production stacks, Cloud Conformity strongly recommends to use Termination Protection feature in addition to a well-defined Stack Policy in order to make your stack even safer.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
With Termination Protection safety feature enabled, you have the guarantee that your CloudFormation stacks cannot be terminated (i.e. permanently deleted) accidentally and make sure that your AWS environment created by the stack and its data remains safe.
Note: The CloudFormation Stack Policy is also a feature that enables you to prevent stack resources from being unintentionally updated or deleted during a stack update process. However, Stack Policy cannot protect your stack from being terminated as IAM users who have the permission to delete the stack, can still delete it.
To determine if your Amazon CloudFormation stacks have Termination Protection feature enabled, perform the following:
Remediation / Resolution
To enable Termination Protection safety feature for your Amazon CloudFormation stacks, perform the following:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable AWS CloudFormation Stack Termination Protection
Risk level: Medium