Stack Retention Disabled
- Query id: fe974ae9-858e-4991-bbd5-e040a834679f
- Query name: Stack Retention Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Backup
- CWE: 404
- URL: Github
Description¶
Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
stackset3:
Type: AWS::CloudFormation::StackSet
Properties:
PermissionModel: SERVICE_MANAGED
StackSetName: some_stack_name
TemplateURL: some_stack_link
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: false
stackset4:
Type: AWS::CloudFormation::StackSet
Properties:
PermissionModel: SERVICE_MANAGED
StackSetName: some_stack_name
TemplateURL: some_stack_link
AutoDeployment:
Enabled: true
stackset5:
Type: AWS::CloudFormation::StackSet
Properties:
PermissionModel: SERVICE_MANAGED
StackSetName: some_stack_name
TemplateURL: some_stack_link
AutoDeployment:
Enabled: false
RetainStacksOnAccountRemoval: true
stackset6:
Type: AWS::CloudFormation::StackSet
Properties:
PermissionModel: SERVICE_MANAGED
StackSetName: some_stack_name
TemplateURL: some_stack_link
AutoDeployment:
RetainStacksOnAccountRemoval: false
stackset7:
Type: AWS::CloudFormation::StackSet
Properties:
PermissionModel: SERVICE_MANAGED
StackSetName: some_stack_name
TemplateURL: some_stack_link
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"stackset8": {
"Type": "AWS::CloudFormation::StackSet",
"Properties": {
"PermissionModel": "SERVICE_MANAGED",
"StackSetName": "some_stack_name",
"TemplateURL": "some_stack_link",
"AutoDeployment": {
"Enabled": true,
"RetainStacksOnAccountRemoval": false
}
}
},
"stackset9": {
"Type": "AWS::CloudFormation::StackSet",
"Properties": {
"PermissionModel": "SERVICE_MANAGED",
"StackSetName": "some_stack_name",
"TemplateURL": "some_stack_link",
"AutoDeployment": {
"Enabled": true
}
}
},
"stackset10": {
"Type": "AWS::CloudFormation::StackSet",
"Properties": {
"PermissionModel": "SERVICE_MANAGED",
"StackSetName": "some_stack_name",
"TemplateURL": "some_stack_link",
"AutoDeployment": {
"Enabled": false,
"RetainStacksOnAccountRemoval": false
}
}
},
"stackset11": {
"Type": "AWS::CloudFormation::StackSet",
"Properties": {
"PermissionModel": "SERVICE_MANAGED",
"StackSetName": "some_stack_name",
"TemplateURL": "some_stack_link",
"AutoDeployment": {
"RetainStacksOnAccountRemoval": false
}
}
},
"stackset12": {
"Type": "AWS::CloudFormation::StackSet",
"Properties": {
"PermissionModel": "SERVICE_MANAGED",
"StackSetName": "some_stack_name",
"TemplateURL": "some_stack_link"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
stackset:
Type: AWS::CloudFormation::StackSet
Properties:
PermissionModel: SERVICE_MANAGED
StackSetName: some_stack_name
TemplateURL: some_stack_link
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: true
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"stackset2": {
"Type": "AWS::CloudFormation::Stack",
"Properties": {
"PermissionModel": "SERVICE_MANAGED",
"StackSetName": "some_stack_name",
"TemplateURL": "some_stack_link",
"AutoDeployment": {
"Enabled": true,
"RetainStacksOnAccountRemoval": true
}
}
}
}
}