CloudFormation has no stack policy
ID |
aws_cloudformation_stack_policy |
Severity |
high |
Vendor |
AWS |
Resource |
IAM |
Tags |
reachable |
Description
CloudFormation has no stack policy. CloudFormation stack should have a policy in order to protect stack resources from update actions.
To fix it you must configure stack_policy or stack_policy_body properties.
Learn more about this topic at AWS CloudFormation protect stack resources.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Stack
amazon.aws.cloudformation:
stack_name: "ansible-cloudformation"
state: "present"
region: "us-east-1"
disable_rollback: true
template: "files/cloudformation-example.json"
template_parameters:
KeyName: "jmartin"
DiskType: "ephemeral"
InstanceType: "m1.small"
ClusterSize: 3
tags:
Stack: "ansible-cloudformation"Mitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: Stack
amazon.aws.cloudformation:
stack_name: "ansible-cloudformation"
state: "present"
region: "us-east-1"
disable_rollback: true
notification_arns: "notifications:arns"
template: "files/cloudformation-example.json"
stack_policy: "MyPolicy"
stack_policy_body: |
{
"Version": "2012-10-17",
"Statement":[{
"Effect": "Deny",
"Action": ["Update:Replace", "Update:Delete"]
"Principal": "*",
"Resource": "*"
}]
}
template_parameters:
KeyName: "jmartin"
DiskType: "ephemeral"
InstanceType: "m1.small"
ClusterSize: 3
tags:
Stack: "ansible-cloudformation"