Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudFormation Stack Termination Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CFM-005

Ensure that Termination Protection safety feature is enabled for your Amazon CloudFormation stacks in order to protect them from being accidentally deleted. The feature can be enabled when you create or update your CloudFormation stack. Once enabled, if you attempt to delete a protected stack, the delete request fails and the stack (including the stack current status) remains unchanged.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With Termination Protection safety feature enabled, you have the guarantee that your protected CloudFormation stacks can't be terminated (i.e. permanently deleted) accidentally and make sure that the AWS cloud environment created by the stack and its data remains safe.

Note: The Amazon CloudFormation Stack Policy is also a feature that enables you to prevent stack resources from being unintentionally updated or deleted during a stack update process. However, Stack Policy can't fully protect your stack from being terminated because IAM users who have the permission to delete the stack, can still delete it.


Audit

To determine if termination protection is enabled for your Amazon CloudFormation stacks, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFormation console at https://console.aws.amazon.com/cloudformation/.

03 Click on the name (link) of the CloudFormation stack that you want to examine.

04 Select the Stack info tab to access the configuration information available for the selected stack.

05 In the Overview section, check the Termination protection configuration attribute value. If the attribute value is set to Disabled, the Termination Protection safety feature is not enabled for the selected Amazon CloudFormation stack.

06 Repeat step no. 3 – 5 for each Amazon CloudFormation stack available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the name of each active Amazon CloudFormation stack available in the selected AWS region:

aws cloudformation list-stacks
  --region us-east-1
  --stack-status-filter CREATE_COMPLETE
  --output table
  --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack name(s):

-----------------------------
|         ListStacks        |
+---------------------------+
| cc-production-web-stack   |
| cc-demo-application-stack |
| cc-project5-test-stack    |
+---------------------------+

03 Run describe-stacks command (OSX/Linux/UNIX) using the name of the Amazon CloudFormation stack that you want to examine as the identifier parameter and custom query filters to describe the Termination Protection feature status available for the selected stack:

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name cc-production-web-stack
  --query 'Stacks[*].EnableTerminationProtection'

04 The command output should return the requested feature status (true for enabled, false for disabled):

[
    false
]

If the value returned by the describe-stacks command output is false, as shown in the example above, the Termination Protection safety feature is disabled for the selected Amazon CloudFormation stack.

05 Repeat steps no. 3 and 4 for each Amazon CloudFormation stack available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Termination Protection feature for your Amazon CloudFormation stacks, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFormation console at https://console.aws.amazon.com/cloudformation.

03 Select the Amazon CloudFormation stack that you want to protect from accidental deletion.

04 Choose Stack actions from the console top menu and select Edit termination protection.

05 In the Edit termination protection for <stack-name>? dialog box, choose Enabled under Termination protection, to enable the Termination Protection safety feature for the selected stack. Choose Save to apply the changes.

06 Repeat steps no. 3 – 5 to enable Termination Protection for each Amazon CloudFormation stack available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-termination-protection command (OSX/Linux/UNIX) using the name of the Amazon CloudFormation stack that you want to protect from accidental deletion as the identifier parameter, to enable the Termination Protection safety feature for the selected stack. Once the feature is enabled, if an AWS user attempts to delete a CloudFormation stack with Termination Protection enabled, the operation fails and the stack remains unchanged:

aws cloudformation update-termination-protection
  --region us-east-1
  --stack-name cc-production-web-stack
  --enable-termination-protection

02 The command output should return the ID of the reconfigured CloudFormation stack:

{
	"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/cc-production-web-stack/abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
}

03 Repeat steps no. 1 and 2 to enable Termination Protection for each Amazon CloudFormation stack available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Oct 14, 2017