Change Management with CloudFormation

Effective change management is crucial for maintaining a secure and stable infrastructure when using AWS CloudFormation. This guide explores key considerations for implementing robust change management practices with CloudFormation, focusing on best practices, common pitfalls, and practical remediation steps.

book gomboc demoFix my Terraform!Fix my cloudformation!

Change Management with CloudFormation

Heading 2

Drift Detection Gaps

The Problem

Failing to regularly check for and address configuration drift can lead to inconsistencies between the intended and actual state of resources, potentially introducing security vulnerabilities or operational issues.

Code Examples

Bad Practice

1Resources:
2  MyEC2Instance:
3    Type: AWS::EC2::Instance
4    Properties:
5      InstanceType: t2.micro
6      ImageId: ami-0c55b159cbfafe1f0
7
8# Implement AWS Config rule for drift detection
9  DriftDetectionRule:
10    Type: AWS::Config::ConfigRule
11    Properties:
12      ConfigRuleName: ec2-instance-managed-by-systems-manager
13      Description: Checks whether EC2 instances in your account are managed by AWS Systems Manager.
14      Source:
15        Owner: AWS
16        SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM

Good Practice

1Resources:
2  MyVPC:
3    Type: AWS::EC2::VPC
4    Properties:
5      CidrBlock: 10.0.0.0/16
6      EnableDnsHostnames: true
7      EnableDnsSupport: true
8      InstanceTenancy: default
9      Tags:
10        - Key: Name
11          Value: MySecureVPC
12
13  MyPrivateSubnet:
14    Type: AWS::EC2::Subnet
15    Properties:
16      VpcId: !Ref MyVPC
17      CidrBlock: 10.0.1.0/24
18      AvailabilityZone: !Select [ 0, !GetAZs '' ]
19      Tags:
20        - Key: Name
21          Value: MyPrivateSubnet
22
23  MyEC2Instance:
24    Type: AWS::EC2::Instance
25    Properties:
26      InstanceType: t2.micro
27      ImageId: ami-0c55b159cbfafe1f0
28      SubnetId: !Ref MyPrivateSubnet

Secure Patterns

  • Implement regular drift detection checks using AWS Config or custom scripts.
  • Automate the process of correcting drift when detected.
  • Integrate drift detection results into your monitoring and alerting system.

Unsafe Stack Updates

The Problem

Performing stack updates without proper review and testing can lead to unintended consequences, including service disruptions or security vulnerabilities.

Code Examples

Bad Practice

1# Directly updating the stack without review
2aws cloudformation update-stack --stack-name MyStack --template-body file://updated_template.yaml

Good Practice

1# Create and review a change set before applying
2aws cloudformation create-change-set --stack-name MyStack --change-set-name MyChanges --template-body file://updated_template.yaml
3
4# Review the change set
5aws cloudformation describe-change-set --change-set-name MyChanges --stack-name MyStack
6
7# Execute the change set after review
8aws cloudformation execute-change-set --change-set-name MyChanges --stack-name MyStack

Secure Patterns

  • Always use change sets to preview and review changes before applying them.
  • Implement a change approval process for critical stacks.
  • Use stack policies to prevent unintended modifications to sensitive resources.

Missing Rollback Configurations

The Problem

Without proper rollback configurations, failed stack updates can leave resources in an inconsistent or potentially insecure state.

Code Examples

Bad Practice

1# No specific rollback configuration
2Resources:
3  MyDatabase:
4    Type: AWS::RDS::DBInstance
5    Properties:
6      # Database properties

Good Practice

1Resources:
2  MyDatabase:
3    Type: AWS::RDS::DBInstance
4    UpdateReplacePolicy: Snapshot
5    DeletionPolicy: Snapshot
6    Properties:
7      # Database properties
8
9# Stack level configuration
10AWSTemplateFormatVersion: '2010-09-09'
11Description: 'My stack with rollback configuration'
12Parameters:
13  RollbackOnFailure:
14    Type: String
15    Default: 'true'
16    AllowedValues: ['true', 'false']

Secure Patterns

  • Configure appropriate UpdateReplacePolicy and DeletionPolicy for critical resources.
  • Implement comprehensive error handling and logging in your templates.
  • Use CloudFormation hooks to perform pre and post-update validations.

Practical Remediation Steps

1. Immediate Actions

  • Conduct a comprehensive audit of existing CloudFormation stacks to identify drift detection gaps and missing rollback configurations.
  • Implement AWS Config rules or custom scripts to detect and alert on configuration drift.
  • Review and update stack update processes to include mandatory change set reviews.
  • Enable termination protection for all production and critical stacks.

2. Long-term Strategy

  • Implement a IaC security solution like Gomboc AI
  • Regularly update and patch CloudFormation resources to address newly discovered vulnerabilities.
  • Implement drift detection and automated remediation to ensure deployed resources match their intended configurations6
  • Develop and enforce organizational policies for secure CloudFormation template development, including guidelines for parameter constraints, secret management, and access control3
  • Provide ongoing training and education for development and operations teams on CloudFormation security best practices and AWS security services integration3

By following these best practices and implementing a comprehensive security strategy, you can significantly enhance the security posture of your CloudFormation stack permissions. Remember that security is an ongoing process, requiring continuous monitoring, improvement, and adaptation to new threats and best practices.

Effective management of stack permissions in CloudFormation is crucial for maintaining a secure and compliant infrastructure as code environment. By addressing issues such as excessive IAM permissions, missing resource-level permissions, and uncontrolled cross-stack references, organizations can significantly reduce their security risks and improve their overall cloud governance.

Citations:
[1] https://blog.devops.dev/aws-cloudformation-security-best-practices-a-comprehensive-guide-921670978e2c?gi=c980a7141ed0
[2] https://www.jit.io/resources/devsecops/6-steps-to-configure-cloudformation-security-groups
[3] https://www.strongdm.com/blog/aws-iam-best-practices
[4] https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_secret.html
[5] https://tutorialsdojo.com/different-ways-of-passing-parameters-securely-in-cloudformation/
[6] https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
[7] https://d1.awsstatic.com/SMB/aws-security-hub-automated-response-and-remediation-implementation-guide-smb-security-resource.pdf
[8] https://www.aquasec.com/blog/cloudformation-templates-scan-with-trivy/
[9] https://cycode.com/blog/aws-cloudformation-security-8-best-practices/