Profile Applicability:

  • Level 1

Description:

AWS CloudFormation provides an automated way to manage the deployment and lifecycle of AWS resources. Termination protection is a feature that helps prevent accidental deletion of a stack. Enabling termination protection on CloudFormation stacks ensures that a stack cannot be accidentally deleted via the AWS Management Console, AWS CLI, or API, without first disabling the protection. This helps prevent accidental loss of resources managed by CloudFormation.

Rationale:

  • Prevent Accidental Deletion: Termination protection prevents the accidental deletion of stacks, which could result in the loss of critical resources and configuration.

  • Security: Helps avoid disruptions to critical infrastructure that could occur due to human errors or misconfigured automation pipelines.

  • Operational Stability: By protecting stacks from being deleted, you can ensure that resources and services remain stable during ongoing maintenance or operations.

Impact:

Pros:

  • Enhanced Security: Prevents the accidental termination of stacks that contain vital infrastructure or services.

  • Operational Continuity: Ensures that stacks continue running and prevents service disruptions from accidental deletions.

  • Data Protection: Helps protect valuable data and configurations by preventing inadvertent deletion of stacks.

Cons:

  • Increased Complexity: While the termination protection feature is helpful, it may complicate stack deletion in legitimate cases, requiring manual intervention to disable protection before deleting the stack.

  • Additional Step for Stack Deletion: In case of legitimate stack removal, the additional step of disabling termination protection must be performed.

Default Value:

By default, termination protection is disabled for CloudFormation stacks. You must enable it explicitly during stack creation or afterward via stack modification.

Pre-requisite:

  • AWS IAM Permissions:

    • cloudformation:DescribeStacks

    • cloudformation:UpdateStack

    • cloudformation:DeleteStack

  • AWS CLI installed and configured.

  • Ensure you have access to CloudFormation resources and stack management permissions.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudFormation under Services.

  3. In the CloudFormation Dashboard, go to Stacks.

  4. Select the stack you want to check.

  5. In the Stack Details tab, under the Termination Protection section, check the status:

    • If Termination Protection is enabled, it will show "Enabled."

    • If Termination Protection is disabled, it will show "Disabled."

  6. If Termination Protection is not enabled, you can modify the stack to enable it.

Using AWS CLI:

  1. To check if Termination Protection is enabled for a CloudFormation stack, run:

    aws cloudformation describe-stacks --stack-name <stack-name> --query 'Stacks[*].{StackName:StackName,TerminationProtection:TerminationProtection}'

  2. Review the output:

  • If TerminationProtection is true, the stack is protected.

  • If TerminationProtection is false, termination protection is not enabled.

  1. To enable Termination Protection, run:

    aws cloudformation update-stack --stack-name <stack-name> --termination-protection

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon CloudFormation.

  2. In the CloudFormation Dashboard, select Stacks and choose the stack you want to modify.

  3. In the Stack Details tab, under Termination Protection, click Edit.

  4. Enable Termination Protection by checking the Enable Termination Protection box.

  5. Save the changes to apply Termination Protection to the stack.

Using AWS CLI:

  1. To enable Termination Protection for an existing stack, run:

    aws cloudformation update-stack --stack-name <stack-name> --termination-protection

  2. To verify that Termination Protection is enabled, run:

    aws cloudformation describe-stacks --stack-name <stack-name> --query 'Stacks[*].{StackName:StackName,TerminationProtection:TerminationProtection}'

Backout Plan:

Using AWS Console:

  1. If enabling Termination Protection causes issues, sign in to the AWS Management Console.

  2. Navigate to CloudFormation, select the stack, and click Stack actions.

  3. Select Disable termination protection.

  4. Save the changes and verify that Termination Protection is now disabled, allowing stack deletion if needed.

Using AWS CLI:

  1. To disable Termination Protection, run the following command:

    aws cloudformation update-stack --stack-name <STACK_NAME> --no-enable-termination-protection

  2. Verify that Termination Protection has been disabled:

    aws cloudformation describe-stacks --stack-name <STACK_NAME>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.