Open menu
-->

Enable AWS CloudFormation Stack Notifications

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure all your AWS CloudFormation stacks are using Simple Notification Service (AWS SNS) in order to receive notifications when an event occurs. Monitoring stack events such as create - which triggers the provisioning process based on a defined CloudFormation template, update – which updates the stack configuration or delete – which terminates the stack by removing its collection of AWS resources, will enable you to respond fast to any unauthorized action that could alter your AWS environment.

This rule resolution is part of the Cloud Conformity Base Auditing Package

With SNS integration you can increase the visibility of your AWS CloudFormation stack activity, beneficial for security and management purposes.

Audit

To determine if your CloudFormation stacks are associated with AWS SNS topics for receiving notifications, perform the following:

Note: Verifying CloudFormation stack integration with the SNS service using AWS Management Console is not currently supported.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks available in the selected AWS region:

aws cloudformation list-stacks
	--region us-east-1
	--output table
	--query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested CloudFormation stack names:

--------------------
|    ListStacks    |
+------------------+
|  MyWebProdStack  |
|  MyWebTestStack  |
|  MyWebDevStack   |
+------------------+

03 Now run describe-stacks command (OSX/Linux/UNIX) to get the full description for the specified CloudFormation stack:

aws cloudformation describe-stacks
	--region us-east-1
	--stack-name MyWebProdStack

04 The command output should return the selected stack description metadata:

{
    "Stacks": [
        {
            "StackId": "arn:aws:cloudformation:us-east-1:123456789012:
                        stack/MyWebProdStack/f1f44d-65e3-503f23fb55fe",
            "Description": "AWS CloudFormation Production Template",
            "Parameters": [
                {
                    "ParameterValue": "sshprod",
                    "ParameterKey": "KeyName"
                },
                {
                    "ParameterValue": "c3.xlarge",
                    "ParameterKey": "InstanceType"
                }
            ],
            "Outputs": [
                {
                    "Description": "EC2 InstanceId",
                    "OutputKey": "InstanceId",
                    "OutputValue": "i-35a1ee594c8ff55c4"
                },
                {
                    "Description": "EC2 PublicIP",
                    "OutputKey": "PublicIP",
                    "OutputValue": "59.152.75.18"
                }
            ],
            "CreationTime": "2014-08-19T08:07:17.362Z",
            "StackName": "MyWebProdStack",
            "NotificationARNs": [],
            "StackStatus": "UPDATE_COMPLETE",
            "LastUpdatedTime": "2016-01-14T10:28:20.801Z"
        }
    ]
}

If the NotificationARNs parameter (highlighted) has an empty array as its value (as shown in the output example above), the selected CloudFormation stack is not associated with an SNS topic. To associate the selected stack with an SNS topic and get notifications about the necessary events, follow the Remediation/Resolution section.

05 Repeat step no. 3 and 4 to verify the SNS integration of the other stacks available in the selected region.

06 Perform steps no. 1 – 5 to repeat the audit process for the other AWS regions.

Remediation / Resolution

To integrate your active CloudFormation stack with an SNS topic in order to receive email notifications whenever a stack event occurs, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFormation dashboard at http://console.aws.amazon.com/cloudformation/.

03 Use the Filter dropdown menu to list all the active stacks available in the current AWS region.

04 Select a CloudFormation stack that you want to examine.

05 Click the Action dropdown menu from the dashboard top menu and select Update Stack:

Click the Action dropdown menu from the dashboard top menu and select Update Stack

to access the stack configuration page.

06 Click the Next button until you reach the Options page.

07 In the Advanced section, under Notification options, perform one of the following actions:

    cloudformation-new-sns-topic
  1. Select New Amazon SNS topic: Select New Amazon SNS topic to create a new SNS topic and subscribe to it using your email address. In the Topic box enter a name for the new SNS topic and in the Email box enter the email address where you want to receive notifications, as soon as changes are made to the selected stack.
  2. Select Existing Amazon SNS topic and choose a pre-existing SNS topic from the dropdown list: Select Existing Amazon SNS topic and choose a pre-existing SNS topic from the dropdown list.
  3. Select Existing topic ARN and type the Amazon Resource Name (ARN) of an existing SNS topic, e.g. arn:aws:sns:us-east-1:123456789012:MyCFSNSTopic.

08 Click Next and review the new configuration for the selected stack.

09 Click Update to apply the changes. Once the stack status is changed to UPDATE_COMPLETE, the integration with the selected SNS topic is complete.

10 If you chose to create a new SNS topic (step no. 8 a.), use your email client application and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription.

11 Repeat steps no. 4 – 10 to integrate AWS SNS with other CloudFormation stacks available in the selected region.

12 Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

To associate a Simple Notification Service (SNS) topic with the selected CloudFormation stack you need to get first the SNS topic ARN. If you need to create a new SNS topic follow the next step. To use an existing topic, just go to step no. 2.'

01 Create a new SNS topic for integration with the selected CloudFormation stack:

  1. Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications:
    aws sns create-topic 
    	--region us-east-1 
    	--name MyCFSNSTopic
    
  2. The command output should return the new SNS topic ARN:
    {
        "TopicArn": "arn:aws:sns:us-east-1:123456789012:MyCFSNSTopic"
    }
    
  3. Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification-endpoint (i.e. your email address):
    aws sns subscribe
    	--topic-arn arn:aws:sns:us-east-1:123456789012:MyCFSNSTopic
    	--protocol email
    	--notification-endpoint user@domain.com
    
  4. Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint selected (the command does not return an output):
    aws sns confirm-subscription
    	--topic-arn arn:aws:sns:us-east-1:123456789012:MyCFSNSTopic
    	--token 2035092f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da718e14
    

02 Run list-topics command (OSX/Linux/UNIX) to list the ARN of each SNS topic available in the selected AWS region:

aws sns list-topics 
	--region us-east-1

03The command output should return the requested ARN(s):

{
    "Topics": [
        {
            "TopicArn": "arn:aws:sns:us-east-1:123456789012:CFNotifyMe"
        },
        {
            "TopicArn": "arn:aws:sns:us-east-1:123456789012:MySNSTopic"
        }

    ]
}

04Run update-stack command (OSX/Linux/UNIX) to update the selected CloudFormation stack and associate it with the specified SNS topic by using the topic ARN as identifier:

aws cloudformation update-stack
	--stack-name MyWebProdStack
	--use-previous-template
	--notification-arns "arn:aws:sns:us-east-1:123456789012:CFNotifyMe"

05The command output should return the ID of the updated stack:

{
    "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
                MyWebProdStack/f1f44d40-65e3-11e6-a140-503f23fb55fe"
}

06 Repeat step no. 4 and 5 to integrate AWS SNS with other CloudFormation stacks available in the selected region.

07 Change the AWS region to repeat the process for the other regions.

References

Publication date Feb 6, 2017