CloudWiki
Rules
Medium

Ensure CloudFormation stacks Termination Protection feature is enabled

Security & Compliance
Description

To prevent accidental deletion of your CloudFormation stacks, it's important to enable the Termination Protection feature. When Termination Protection is enabled, any attempt to delete the stack will fail, and the stack (along with its current status) will remain unchanged. By enabling the Termination Protection safety feature, you can have peace of mind knowing that your CloudFormation stacks are protected from being accidentally deleted and that the AWS environment created by the stack and its associated data remains secure.

Remediation

Here are some remediation steps to ensure that the Termination Protection feature is enabled for your CloudFormation stacks:

  1. Identify the CloudFormation stacks that do not have Termination Protection enabled. You can use the AWS CLI or AWS Management Console to view the stack properties.
  2. For each stack that does not have Termination Protection enabled, update the stack and enable the Termination Protection feature. You can do this using the AWS Management Console or the AWS CLI.
  3. If you are using AWS CloudFormation templates to create your stacks, ensure that the TerminationProtection attribute is set to true in your template.
  4. It's also a good practice to enable Termination Protection by default for all new stacks that you create in the future. You can do this by creating a CloudFormation stack set with the TerminationProtection attribute set to true.
  5. Lastly, ensure that your IAM policies and permissions are set up correctly so that only authorized users can modify or delete the Termination Protection settings of your CloudFormation stacks.

By following these steps, you can ensure that the Termination Protection feature is enabled for your CloudFormation stacks and your resources are protected from accidental deletion.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.