Resource Protection in CloudFormation

Missing Stack Policies

The Problem

Without a stack policy, all resources in a CloudFormation stack are vulnerable to unintended modifications or deletions during stack updates. This can lead to accidental data loss or service disruptions.

Code Examples

Bad Practice

1{
2  "Statement" : [
3    {
4      "Effect" : "Allow",
5      "Action" : "Update:*",
6      "Principal": "*",
7      "Resource" : "*"
8    },
9    {
10      "Effect" : "Deny",
11      "Action" : "Update:Replace",
12      "Principal": "*",
13      "Resource" : "LogicalResourceId/MyDatabase"
14    }
15  ]
16}

‍

Good Practice

1Resources:
2  MyVPC:
3    Type: AWS::EC2::VPC
4    Properties:
5      CidrBlock: 10.0.0.0/16
6      EnableDnsHostnames: true
7      EnableDnsSupport: true
8      InstanceTenancy: default
9      Tags:
10        - Key: Name
11          Value: MySecureVPC
12
13  MyPrivateSubnet:
14    Type: AWS::EC2::Subnet
15    Properties:
16      VpcId: !Ref MyVPC
17      CidrBlock: 10.0.1.0/24
18      AvailabilityZone: !Select [ 0, !GetAZs '' ]
19      Tags:
20        - Key: Name
21          Value: MyPrivateSubnet
22
23  MyEC2Instance:
24    Type: AWS::EC2::Instance
25    Properties:
26      InstanceType: t2.micro
27      ImageId: ami-0c55b159cbfafe1f0
28      SubnetId: !Ref MyPrivateSubnet

Secure Patterns

Implement stack policies for all critical CloudFormation stacks.
Use explicit "Deny" statements for sensitive resources to prevent unintended modifications.
Regularly review and update stack policies to ensure they align with current security requirements.

Deletion Protection Oversights

The Problem

Failing to enable termination protection or implement proper deletion policies can result in accidental stack or resource deletions, leading to data loss and service interruptions.

Code Examples

Bad Practice

1Resources:
2  MyBucket:
3    Type: AWS::S3::Bucket
4    # No DeletionPolicy specified

‍‍

Good Practice

1Resources:
2  MyBucket:
3    Type: AWS::S3::Bucket
4    DeletionPolicy: Retain
5    Properties:
6      # Bucket properties

‍

Secure Patterns

Enable termination protection for critical CloudFormation stacks.
Use the DeletionPolicy attribute to retain important resources even if the stack is deleted.
Implement a review process for stack deletion requests to prevent accidental deletions.

Unprotected Sensitive Resources

The Problem

Sensitive resources without proper protection mechanisms are vulnerable to unauthorized modifications or replacements during stack updates.

Code Examples

Bad Practice

1Resources:
2  MyDatabase:
3    Type: AWS::RDS::DBInstance
4    Properties:
5      # Database properties

‍

Good Practice

1Resources:
2  MyDatabase:
3    Type: AWS::RDS::DBInstance
4    UpdateReplacePolicy: Retain
5    DeletionPolicy: Snapshot
6    Properties:
7      # Database properties

Secure Patterns

Identify and categorize sensitive resources within your CloudFormation stacks.
Implement resource-specific allow rules in stack policies for granular control.
Use UpdateReplacePolicy and DeletionPolicy attributes to protect against unintended replacements or deletions.

Practical Remediation Steps

1. Immediate Actions

Conduct a comprehensive audit of existing CloudFormation templates to identify network security misconfigurations.
Implement stack policies for all critical stacks, focusing on explicit "Deny" statements for sensitive resources.
Enable termination protection for all production and critical stacks.
Review and update DeletionPolicy and UpdateReplacePolicy attributes for sensitive resources.

2. Long-term Strategy

Implement a IaC security solution like Gomboc AI
Regularly update and patch CloudFormation resources to address newly discovered vulnerabilities.
Implement drift detection and automated remediation to ensure deployed resources match their intended configurations6
Develop and enforce organizational policies for secure CloudFormation template development, including guidelines for parameter constraints, secret management, and access control3
Provide ongoing training and education for development and operations teams on CloudFormation security best practices and AWS security services integration3‍

By following these best practices and implementing a comprehensive security strategy, you can significantly enhance the security posture of your CloudFormation stack permissions. Remember that security is an ongoing process, requiring continuous monitoring, improvement, and adaptation to new threats and best practices.

Effective management of stack permissions in CloudFormation is crucial for maintaining a secure and compliant infrastructure as code environment. By addressing issues such as excessive IAM permissions, missing resource-level permissions, and uncontrolled cross-stack references, organizations can significantly reduce their security risks and improve their overall cloud governance.

Citations:
[1] https://blog.devops.dev/aws-cloudformation-security-best-practices-a-comprehensive-guide-921670978e2c?gi=c980a7141ed0
[2] https://www.jit.io/resources/devsecops/6-steps-to-configure-cloudformation-security-groups
[3] https://www.strongdm.com/blog/aws-iam-best-practices
[4] https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_secret.html
[5] https://tutorialsdojo.com/different-ways-of-passing-parameters-securely-in-cloudformation/
[6] https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
[7] https://d1.awsstatic.com/SMB/aws-security-hub-automated-response-and-remediation-implementation-guide-smb-security-resource.pdf
[8] https://www.aquasec.com/blog/cloudformation-templates-scan-with-trivy/
[9] https://cycode.com/blog/aws-cloudformation-security-8-best-practices/

Resource Protection in CloudFormation