Description:
Termination protection is a feature in AWS CloudFormation that prevents a stack from being deleted. This helps to protect your stack from being accidentally deleted or deleted by a malicious actor.
Rationale:
Enabling termination protection is a best practice for security and infrastructure management. It helps to protect your stack from being accidentally deleted, which could result in the loss of data or other resources.
Impact:
Enabling termination protection will prevent your stack from being deleted without your explicit permission. This will make it more difficult for someone to accidentally delete your stack or delete it for malicious purposes.
Default Value:
By default, termination protection is disabled for CloudFormation stacks.
Pre-requisites:
- You must have access to the AWS CloudFormation console.
- You must know the name of the CloudFormation stack that you want to enable termination protection for.
Remediation Steps:
- Sign in to the AWS CloudFormation console.
- In the left navigation pane, click Stacks.
- Click the name of the CloudFormation stack that you want to enable termination protection for.
- In the Overview section, click Edit Stack.
- In the Settings section, select Enable Termination Protection.
- Click Save.
Test Plan:
- After you have enabled termination protection, you can verify that it is working by attempting to delete the stack.
- The delete operation should fail with an error message that indicates that termination protection is enabled.
Implementation Plan:
AWS CLI:
aws cloudformation update-stack --stack-name my-stack --enable-termination-protection
AWS GUI:
- Sign in to the AWS CloudFormation console.
- In the left navigation pane, click Stacks.
- Click the name of the CloudFormation stack that you want to enable termination protection for.
- In the Overview section, click Edit Stack.
- In the Settings section, select Enable Termination Protection.
- Click Save.
Backout Plan:
To back out of enabling termination protection, you can follow the same steps as the remediation steps, but deselect Enable Termination Protection.
Note:
- You can enable termination protection for all of your CloudFormation stacks at once by using the AWS CLI or the AWS GUI.
- You can also disable termination protection for a stack if you need to.
Reference:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html