No Stack Policy

• Query id: ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9
• Query name: No Stack Policy
• Platform: Ansible
• Severity: Medium
• Category: Resource Management
• CWE: 829
• URL: Github

Description

AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: create a stack, pass in the template via an URL
  amazon.aws.cloudformation:
    stack_name: "ansible-cloudformation"
    state: present
    region: us-east-1
    disable_rollback: true
    template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template
    template_parameters:
      KeyName: jmartin
      DiskType: ephemeral
      InstanceType: m1.small
      ClusterSize: 3
    tags:
      Stack: ansible-cloudformation

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: create a stack, pass in the template via an URL
  amazon.aws.cloudformation:
    stack_name: ansible-cloudformation
    stack_policy: wowowowoowow
    state: present
    region: us-east-1
    disable_rollback: true
    template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template
    template_parameters:
      KeyName: jmartin
      DiskType: ephemeral
      InstanceType: m1.small
      ClusterSize: 3
    tags:
      Stack: ansible-cloudformation