Stack Retention Disabled

  • Query id: fe974ae9-858e-4991-bbd5-e040a834679f
  • Query name: Stack Retention Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Backup
  • CWE: 404
  • URL: Github

Description

Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  stackset3:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName: some_stack_name
      TemplateURL: some_stack_link
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: false
  stackset4:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName: some_stack_name
      TemplateURL: some_stack_link
      AutoDeployment:
        Enabled: true
  stackset5:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName: some_stack_name
      TemplateURL: some_stack_link
      AutoDeployment:
        Enabled: false
        RetainStacksOnAccountRemoval: true
  stackset6:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName: some_stack_name
      TemplateURL: some_stack_link
      AutoDeployment:
        RetainStacksOnAccountRemoval: false
  stackset7:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName: some_stack_name
      TemplateURL: some_stack_link
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "stackset8": {
      "Type": "AWS::CloudFormation::StackSet",
      "Properties": {
        "PermissionModel": "SERVICE_MANAGED",
        "StackSetName": "some_stack_name",
        "TemplateURL": "some_stack_link",
        "AutoDeployment": {
          "Enabled": true,
          "RetainStacksOnAccountRemoval": false
        }
      }
    },
    "stackset9": {
      "Type": "AWS::CloudFormation::StackSet",
      "Properties": {
        "PermissionModel": "SERVICE_MANAGED",
        "StackSetName": "some_stack_name",
        "TemplateURL": "some_stack_link",
        "AutoDeployment": {
          "Enabled": true
        }
      }
    },
    "stackset10": {
      "Type": "AWS::CloudFormation::StackSet",
      "Properties": {
        "PermissionModel": "SERVICE_MANAGED",
        "StackSetName": "some_stack_name",
        "TemplateURL": "some_stack_link",
        "AutoDeployment": {
          "Enabled": false,
          "RetainStacksOnAccountRemoval": false
        }
      }
    },
    "stackset11": {
      "Type": "AWS::CloudFormation::StackSet",
      "Properties": {
        "PermissionModel": "SERVICE_MANAGED",
        "StackSetName": "some_stack_name",
        "TemplateURL": "some_stack_link",
        "AutoDeployment": {
          "RetainStacksOnAccountRemoval": false
        }
      }
    },
    "stackset12": {
      "Type": "AWS::CloudFormation::StackSet",
      "Properties": {
        "PermissionModel": "SERVICE_MANAGED",
        "StackSetName": "some_stack_name",
        "TemplateURL": "some_stack_link"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  stackset:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName: some_stack_name
      TemplateURL: some_stack_link
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: true
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "stackset2": {
      "Type": "AWS::CloudFormation::Stack",
      "Properties": {
        "PermissionModel": "SERVICE_MANAGED",
        "StackSetName": "some_stack_name",
        "TemplateURL": "some_stack_link",
        "AutoDeployment": {
          "Enabled": true,
          "RetainStacksOnAccountRemoval": true
        }
      }
    }
  }
}