Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

CloudFormation Stack Policy

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CFM-002

Ensure your AWS CloudFormation stacks are using policies as a fail-safe mechanism in order to prevent accidental updates to stack resources. A CloudFormation stack policy is a JSON-based document that defines which actions can be performed on specified resources.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

With CloudFormation stack policies you can protect all or certain resources in your stacks from being unintentionally updated or deleted during the update process.

Audit

To determine if your CloudFormation stacks are using policies to protect their resources from being unintentionally updated, perform the following:

Note: Verifying CloudFormation stacks for policies using AWS Management Console is not currently supported.

Using AWS CLI

  1. Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks available in the selected AWS region:

    aws cloudformation list-stacks
    --region us-east-1
    --output table
    --query 'StackSummaries[*].StackName'

  2. The command output should return a table with the requested CloudFormation stack names:

    --------------------
|    ListStacks    |
+------------------+
|  MyAppProdStack  |
|  MyAppTestStack  |
|  MyAppDevStack   |
+------------------+

  3. Now run get-stack-policy command (OSX/Linux/UNIX) to expose the stack policy for the specified CloudFormation stack:

    aws cloudformation get-stack-policy
	--region us-east-1
	--stack-name MyAppProdStack

  4. The command output should return the policy document body for the selected stack, e.g.:

    {
   "StackPolicyBody": "{
      "Statement" : [
        {
          "Effect" : "Deny",
          "Action" : "Update:*",
          "Principal": "*",
          "Resource" : "*"
        }
      ]
   }"
}

    If the command is not returning an output, the selected CloudFormation stack does not have any policies attached, therefore the stack resources are not protected against accidental updates. To apply a policy to an existing stack, follow the steps outlined in the Remediation/Resolution section.

  5. Repeat step no. 3 and 4 to verify if the other stacks available in the selected region have policies attached.

  6. Perform steps no. 1 – 5 to repeat the audit process for the other AWS regions.

Remediation / Resolution

To define CloudFormation stack policies based on your requirements and apply these policies to your existing stacks, perform the following:

Note: Attaching policies to existing CloudFormation stacks using AWS Management Console is not currently supported.

Using AWS CLI

  1. Define the stack policy based on the type of resources that you want to protect against accidental updates. A stack policy is a JSON-based document that contains the stack update actions performed by all CloudFormation users and the resources that these actions apply to. Based on your needs, you can use one of the example policies defined below.

    1. To prevent updates to all stack resources, use the following policy document: 
      {
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}
    2. To prevent updates to a certain stack resource, use the following policy document. The resource used in the example below is an EC2 instance available within the stack (highlighted): 
      {
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    },
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "MyEC2Instance/ProductionAppServer"
    }
  ]
}
    3. To prevent updates to all Instances of a stack resource type, use the following policy document. The resource type used in the example below is the EC2 instance (highlighted): 
      {
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    },
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : ["AWS::EC2::Instance"]
        }
      }
    }
  ]
}
    4. To prevent updates to nested CloudFormation stacks, use the following policy document: 
      {
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    },
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : ["AWS::CloudFormation::Stack"]
        }
      }
    }
  ]
}

  2. Now run create-bucket command (OSX/Linux/UNIX) to create the S3 bucket that will store your stack policies. The S3 bucket must be created in the same AWS region as the CloudFormation stack:

    aws s3api create-bucket
    --bucket cfn-policies
    --region us-east-1

  3. The command output should return the new S3 bucket location:

    {
    "Location": "/cfn-policies"
}

  4. Paste one of the policy documents outlined at step no. 1 in a JSON file (e.g., cfn-custom-policy.json) based on your requirements, then run put-object command (OSX/Linux/UNIX) to upload the file to the newly created S3 bucket:

    aws s3api put-object
    --bucket cfn-policies
    --key cfn-custom-policy.json
    --body cfn-custom-policy.json

  5. The command output should return the entity tag (ETag) for the uploaded JSON file:

    {
    "ETag": "\"1a9339b338972f4de8d2550180da7d31\""
}

  6. Run set-stack-policy command (OSX/Linux/UNIX) to attach the stack policy created at step no. 4 to the selected CloudFormation stack (if successful, the command does not return an output):

    aws cloudformation set-stack-policy
    --region us-east-1
    --stack-name MyAppProdStack
    --stack-policy-url https://s3.amazonaws.com/cfn-policies/cfn-custom-policy.json

  7. Once attached, you cannot detach a stack policy. If you need to update your stack and remove the protection from all resources, you can modify the policy to explicitly allow all actions on all resources and repeat steps no. 4 – 6 to apply the new policy. The following policy allows all updates on all resources available in the stack:

    {
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

  8. Repeat step no. 4 – 6 to apply stack policies to other CloudFormation stacks available in the selected region.

  9. Change the AWS region to repeat the process for the other regions.

References

Publication date Feb 6, 2017

Related CloudFormation rules