Stack Retention Disabled

Query id: fe974ae9-858e-4991-bbd5-e040a834679f
Query name: Stack Retention Disabled
Platform: CloudFormation
Severity: Medium
Category: Backup
CWE: 404
URL: Github

Description¶

Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< Re

Positive test num. 2 - json file

/span>

AWSTemplateFormatVersion: '2010-09-09' sources: stackset3: Type: AWS::CloudFormation::StackSet Properties: PermissionModel: SERVICE_MANAGED StackSetName: some_stack_name TemplateURL: some_stack_link AutoDeployment: Enabled: true class="w">        RetainStacksOnAccountRemoval: false stackset4: Type: AWS::CloudFormation::StackSet Properties: PermissionModel: SERVICE_MANAGED StackSetName: some_stack_name TemplateURL: some_stack_link class="w">      AutoDeployment: Enabled: true stackset5: Type: AWS::CloudFormation::StackSet Properties: PermissionModel: SERVICE_MANAGED StackSetName: some_stack_name TemplateURL: some_stack_link AutoDeployment: class="w">        Enabled: false RetainStacksOnAccountRemoval: true stackset6: Type: AWS::CloudFormation::StackSet Properties: PermissionModel: SERVICE_MANAGED StackSetName: some_stack_name TemplateURL: some_stack_link class="w">      AutoDeployment: RetainStacksOnAccountRemoval: false stackset7: Type: AWS::CloudFormation::StackSet class="w">    Properties: PermissionModel: SERVICE_MANAGED StackSetName: some_stack_name TemplateURL: some_stack_link /span>{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "stackset8": { "Type": "AWS::CloudFormation::StackSet", "Properties": { "PermissionModel": "SERVICE_MANAGED", "StackSetName": "some_stack_name", "TemplateURL": "some_stack_link", "AutoDeployment": { "Enabled": true, class="w">          "RetainStacksOnAccountRemoval": false } } }, "stackset9": { "Type": "AWS::CloudFormation::StackSet", "Properties": { "PermissionModel": "SERVICE_MANAGED", "StackSetName": "some_stack_name", "TemplateURL": "some_stack_link", class="w">        "AutoDeployment": { "Enabled": true } } }, "stackset10": { "Type": "AWS::CloudFormation::StackSet", "Properties": { "PermissionModel": "SERVICE_MANAGED", "StackSetName": "some_stack_name", "TemplateURL": "some_stack_link", "AutoDeployment": { class="w">          "Enabled": false, "RetainStacksOnAccountRemoval": false } } }, "stackset11": { "Type": "AWS::CloudFormation::StackSet", "Properties": { "PermissionModel": "SERVICE_MANAGED", "StackSetName": "some_stack_name", "TemplateURL": "some_stack_link", class="w">        "AutoDeployment": { "RetainStacksOnAccountRemoval": false } } }, "stackset12": { "Type": "AWS::CloudFormation::StackSet", class="w">      "Properties": { "PermissionModel": "SERVICE_MANAGED", "StackSetName": "some_stack_name", "TemplateURL": "some_stack_link" } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: '2010-09-09'
Resources:
  stackset:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName: some_stack_name
      TemplateURL: some_stack_link
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: true

Negative test num. 2 - json file{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "stackset2": {
      "Type": "AWS::CloudFormation::Stack",
      "Properties": {
        "PermissionModel": "SERVICE_MANAGED",
        "StackSetName": "some_stack_name",
        "TemplateURL": "some_stack_link",
        "AutoDeployment": {
          "Enabled": true,
          "RetainStacksOnAccountRemoval": true
        }
      }
    }
  }
}