No Stack Policy

  • Query id: ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9
  • Query name: No Stack Policy
  • Platform: Ansible
  • Severity: Medium
  • Category: Resource Management
  • CWE: 829
  • URL: Github

Description

AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: create a stack, pass in the template via an URL
  amazon.aws.cloudformation:
    stack_name: "ansible-cloudformation"
    state: present
    region: us-east-1
    disable_rollback: true
    template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template
    template_parameters:
      KeyName: jmartin
      DiskType: ephemeral
      InstanceType: m1.small
      ClusterSize: 3
    tags:
      Stack: ansible-cloudformation

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create a stack, pass in the template via an URL
  amazon.aws.cloudformation:
    stack_name: ansible-cloudformation
    stack_policy: wowowowoowow
    state: present
    region: us-east-1
    disable_rollback: true
    template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template
    template_parameters:
      KeyName: jmartin
      DiskType: ephemeral
      InstanceType: m1.small
      ClusterSize: 3
    tags:
      Stack: ansible-cloudformation