No Stack Policy

  • Query id: 2f01fb2d-828a-499d-b98e-b83747305052
  • Query name: No Stack Policy
  • Platform: Terraform
  • Severity: Medium
  • Category: Resource Management
  • CWE: 829
  • URL: Github

Description

AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_cloudformation_stack" "positive1" {

  name = "networking-stack"

  parameters = {
    VPCCidr = "10.0.0.0/16"
  }

}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_cloudformation_stack" "negative1" {

     name = "networking-stack"

     parameters = {
     VPCCidr = "10.0.0.0/16"
     }

     policy_url = "somepolicyurl"
}



resource "aws_cloudformation_stack" "negative2" {

     name = "networking-stack"

     parameters = {
     VPCCidr = "10.0.0.0/16"
     }

     policy_body = "somepolicy"
}