Open menu
-->

Enable AWS CloudFormation Stack Termination Protection

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that Amazon CloudFormation stacks have Termination Protection feature enabled in order to protect them from being accidentally deleted. The safety feature can be enabled when you create the CloudFormation stack or for existing stacks using the AWS API (UpdateTerminationProtection command). Once enabled, if you attempt to delete an AWS CloudFormation stack with the feature enabled, the deletion fails and the stack (including its current status), will remain unchanged. For production stacks, Cloud Conformity strongly recommends to use Termination Protection feature in addition to a well-defined Stack Policy in order to make your stack even safer.

With Termination Protection safety feature enabled, you have the guarantee that your CloudFormation stacks cannot be terminated (i.e. permanently deleted) accidentally and make sure that your AWS environment created by the stack and its data remains safe. Note: The CloudFormation Stack Policy is also a feature that enables you to prevent stack resources from being unintentionally updated or deleted during a stack update process. However, Stack Policy cannot protect your stack from being terminated as IAM users who have the permission to delete the stack, can still delete it.

Audit

To determine if your Amazon CloudFormation stacks have Termination Protection feature enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Choose the CloudFormation stack that you want to examine then click on its identifier (name) link.

04 On the Stack Detail page, within the main section, verify the Termination protection attribute value set for the selected stack. If the attribute value is set to disabled, the Termination Protection safety feature is not currently enabled for the selected Amazon CloudFormation stack.

05 Repeat step no. 3 and 4 to verify the Termination Protection feature status for other CloudFormation stacks available in the current region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks available in the selected AWS region:

aws cloudformation list-stacks
  --region us-east-1
  --output table
  --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack names:

---------------------------
|        ListStacks       |
+-------------------------+
| cc-production-web-stack |
| cc-demo-app-stack-v2    |
| cc-staging-env-stack    |
+-------------------------+

03 Run describe-stacks command (OSX/Linux/UNIX) using custom query filters to expose the Termination Protection feature status available for the selected AWS CloudFormation stack:

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name cc-production-web-stack
  --query 'Stacks[*].EnableTerminationProtection'

04 The command output should return the Termination Protection feature status (true for enabled, false for disabled):

[
    false
]

If the value Boolean value returned by describe-stacks command output is false, the Termination Protection safety feature is currently disabled for the selected Amazon CloudFormation stack.

05 Repeat step no. 3 and 4 to check the Termination Protection feature status for other CloudFormation stacks available in the current region.

06 Perform steps no. 1 – 5 to repeat the entire audit process for the other AWS regions.

Remediation / Resolution

To enable Termination Protection safety feature for your Amazon CloudFormation stacks, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Select the CloudFormation stack that you want to protect from accidental deletion (see Audit section part I to identify the right resource).

04 Click the Actions dropdown button from the CloudFormation dashboard top menu and select Change termination protection.

05 Inside Enable termination protection dialog box, click Yes, Enable to switch on the feature for the selected stack. The CloudFormation dashboard should display now the following confirmation message: Success: Termination protection was successfully changed for <stack_name> and the feature status should change to Enabled.

06 Repeat steps no. 3 – 5 to enable the safety feature for other CloudFormation stacks created in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run update-termination-protection command (OSX/Linux/UNIX) using the name of the stack that you want to protect from accidental deletion as identifier (see Audit section part II to identify the right resource) to enable Termination Protection feature for the specified CloudFormation stack. If an AWS user attempts to delete a CloudFormation stack with Termination Protection enabled, the operation fails and the stack remains unchanged:

aws cloudformation update-termination-protection
  --region us-east-1
  --stack-name cc-production-web-stack
  --enable-termination-protection

02 The command output should return the ID of the selected AWS CloudFormation stack:

"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/cc-production-web-stack/aaaabbbb-ad8e-11e3-9315-cccdddeeefff"

03 Repeat step no. 1 and 2 to enable the Termination Protection feature for other CloudFormation stacks provisioned in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Oct 14, 2017