Protection of AWS CloudFormation Resources

AWS Cloudformation is a service that helps you model and set up your AWS resources. You create a template that describes all the AWS resources that you want and AWS Cloudformation takes care of provisioning and configuring those resources for you. Protecting AWS Cloudformation resources are highly recommended and it is essential part of disaster management, In this blog we see different methods to protect AWS Cloudformation resources.

Protection of AWS CloudFormation:
There are three ways to protect resources that are created by AWS CloudFormation.

1. Account level protection

2. Stack level protection

3. Resource level protection

Account level protection:

AWS CloudFormation takes a template that describes desired resources and deploys it as a stack of resources. When a stack is deleted, the resources are deleted too.

Therefore, we must have account level protection to control which users have permission to delete the stack. This can be assigned via Identity and Access Management (IAM).

Add a policy to an IAM user, which denies the delete stack action.

Step 1: Go to IAM

Step 2: Click on Users

Step 3: Select an user to add a policy
Step 4: Click on Inline policies.
Step 5: Click on Custom Policy

Step 6: Write the policy name and in policy document section copy paste the below content
Step 7: Click on Validate Policy, Once it shows “This policy is valid”

Step 8: Apply Policy

Stack level protection:
You can prevent stack resources from being unintentionally deleted during a stack update by using stack policies. Stack policies apply only during stack updates and should be used only as a fail-safe mechanism to prevent accidental deletes to certain stack resources.
By default, all resources in a stack can be updated by anyone with update permissions. However, during an update, some resources might require an interruption or might be completely replaced, which could result in new physical IDs or completely new storage. To ensure that no one inadvertently delete these resources, you can set a stack policy. The stack policy prevents anyone from accidentally updating resources that are protected. If you want to update protected resources, you must explicitly specify those resources during a stack update.
Stack policies are JSON documents that define which update actions can be performed on designated resources. You can define only one stack policy per stack; however, you can protect multiple resources within a single policy.

Here’s a sample stack policy that prevents delete to PROD_DATABASE resource:
“Statement”: [
“Effect”: “Deny”,
“Action”: “Update:Delete”,
“Principal”: “*”,
“Resource”: “LogicalResourceId/PROD_DATABASE”
“Effect”: “Allow”,
“Action”: “Update:*”,
“Principal”: “*”,
“Resource”: “*”
How to set a stack policy when you create a stack:
Step 1: Go to CloudFormation
Step 2: Click on Create Stack

Step 3: Upload the template

Step 4: Write the Stack Name

Step 5: Click on Advanced , Enter Policy



Copy and paste the above sample stack policy in Enter policy section or you can write your own policy.

Step 6: Create Stack

Resouce level protection:
Resources created by CloudFormation can still be deleted/modified by any user with appropriate permission. Therefore, it is important that you protect important resources from being impacted by unauthorized users. AWS recommends the granting least privilege so that users only have control over the resources they require, and no more.

It is recommended that you write CloudFormation templates with DeletionPolicy attribute. DeletionPolicy attribute can preserve or (in some cases) backup a resource when its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to control.
DeletionPolicy attribute values:
1. Delete (default) : If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default.
2. Retain : Retain deletion policy defines resources that should not be deleted when a stack is deleted.
To keep a resource when its stack is deleted, specify Retain for that resource. For example,
“AWSTemplateFormatVersion” : “2010-09-09”,
“Resources” : {
“myS3Bucket” : {
“Type” : “AWS::S3::Bucket”,
“DeletionPolicy” : “Retain”
The above example demonstrates how to retain an Amazon S3 bucket even when a stack is accidentally deleted. You can add this deletion policy to any resource type. Note that when AWS CloudFormation completes the stack deletion, the stack will be in Delete_Complete state; however, resources that are retained continue to exist and continue to incur applicable charges until you delete those resources.
3. Snapshot
The following resources support snapshotting:
AWS::RDS::DBInstance and
AWS CloudFormation can create a snapshot for these resources before deleting them. Note that when AWS CloudFormation completes the stack deletion, the stack will be in the Delete_Complete state; however, the snapshots that are created with this policy continue to exist and continue to incur applicable charges until you delete those snapshots.
Since our entire infrastructure is managed by AWS Cloudformation, protecting Cloudformation resources is crucial. As we discussed various methods, one can implement all the above protection methods to ensure that Cloudformation stacks are protected. At a minimum we should have at least account level protection, so that we can feel safe about our infrastructure.