No Stack Policy

• Query id: 2f01fb2d-828a-499d-b98e-b83747305052
• Query name: No Stack Policy
• Platform: Terraform
• Severity: Medium
• Category: Resource Management
• CWE: 829
• URL: Github

Description

AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_cloudformation_stack" "positive1" {

  name = "networking-stack"

  parameters = {
    VPCCidr = "10.0.0.0/16"
  }

}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_cloudformation_stack" "negative1" {

     name = "networking-stack"

     parameters = {
     VPCCidr = "10.0.0.0/16"
     }

     policy_url = "somepolicyurl"
}



resource "aws_cloudformation_stack" "negative2" {

     name = "networking-stack"

     parameters = {
     VPCCidr = "10.0.0.0/16"
     }

     policy_body = "somepolicy"
}