Ensure that Termination Protection safety feature is enabled for your Amazon CloudFormation stacks in order to protect them from being accidentally deleted. The feature can be enabled when you create or update your CloudFormation stack. Once enabled, if you attempt to delete a protected stack, the delete request fails and the stack (including the stack current status) remains unchanged.
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
With Termination Protection safety feature enabled, you have the guarantee that your protected CloudFormation stacks can't be terminated (i.e. permanently deleted) accidentally and make sure that the AWS cloud environment created by the stack and its data remains safe.
Note: The Amazon CloudFormation Stack Policy is also a feature that enables you to prevent stack resources from being unintentionally updated or deleted during a stack update process. However, Stack Policy can't fully protect your stack from being terminated because IAM users who have the permission to delete the stack, can still delete it.
Audit
To determine if termination protection is enabled for your Amazon CloudFormation stacks, perform the following operations:
Remediation / Resolution
To enable the Termination Protection feature for your Amazon CloudFormation stacks, perform the following operations:
References
- AWS Documentation
- How Does AWS CloudFormation Work?
- Working with Stacks
- AWS CloudFormation provides Stack Termination Protection
- Protecting a Stack From Being Deleted
- AWS Command Line Interface (CLI) Documentation
- cloudformation
- list-stacks
- describe-stacks
- update-termination-protection