Get started with Stack Policy in AWS CloudFormation

In AWS CloudFormation, a Stack Policy is a JSON-based document that allows you to control the actions that can be performed on resources within a CloudFormation stack. It acts as a safeguard to prevent unauthorized changes to your stack resources.

When you apply a stack policy to a CloudFormation stack, it restricts the actions that can be taken on resources during stack updates. These policies are useful in scenarios where you want to maintain strict control over your infrastructure and prevent certain modifications that could cause unintended consequences or security risks.

A stack policy consists of a set of statements that define the allowed or denied actions. Each statement includes a list of resources and the actions that are permitted or denied on those resources. The policy follows a "deny by default" approach, meaning that all actions are implicitly denied unless specifically allowed.

Here's an example of a stack policy statement:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "Update:*",
      "Principal": "*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "Update:Replace",
      "Principal": "*",
      "Resource": "AWS::EC2::Instance"
    }
  ]
}

In this example, the stack policy allows any update action on any resource but denies the Update:Replace action on AWS::EC2::Instance resources. This means that you can update existing resources, but you cannot replace an EC2 instance within the stack.

Stack policies are particularly useful for maintaining compliance, preventing accidental modifications, or ensuring that critical resources are not deleted or modified without proper authorization.

It's important to note that stack policies only apply to stack updates and not stack creation. Once a stack is created, its associated stack policy takes effect during subsequent updates.

Defining a stack policy

When you create a stack, no stack policy is set, so all update actions are allowed on all resources. To protect stack resources from update actions, define a stack policy and then set it on your stack. A stack policy is a JSON document that defines the AWS CloudFormation stack update actions that AWS CloudFormation users can perform and the resources that the actions apply to. You set the stack policy when you create a stack, by specifying a text file that contains your stack policy or typing it out. When you set a stack policy on your stack, any update not explicitly allowed is denied by default.

You define a stack policy with five elements: Effect, Action, Principal, Resource, and Condition. The following pseudo code shows stack policy syntax.

{
  "Statement" : [
    {
      "Effect" : "Deny_or_Allow",
      "Action" : "update_actions",
      "Principal" : "*",
      "Resource" : "LogicalResourceId/resource_logical_ID",
      "Condition" : {
        "StringEquals_or_StringLike" : {
          "ResourceType" : [resource_type, ...]
        }
      }
    }
  ]
}

If a stack policy includes overlapping statements (both allowing and denying updates on a resource), a Deny statement always overrides an Allow statement. To ensure that a resource is protected, use a Deny statement for that resource.

Action

Specifies the update actions that are denied or allowed:

Update:Modify

Specifies update actions during which resources might experience no interruptions or some interruptions while changes are being applied. All resources maintain their physical IDs.

Update:Replace

Specifies update actions during which resources are recreated. AWS CloudFormation creates a new resource with the specified updates and then deletes the old resource. Because the resource is recreated, the physical ID of the new resource might be different.

Update:Delete

Specifies update actions during which resources are removed. Updates that completely remove resources from a stack template require this action.

Update:*

Specifies all update actions. The asterisk is a wild card that represents all update actions.

Hands-on Lab: Allow all update except for Delete action

In this hands-on lab we will practice setting stack policy on EC2 instances, which prevents resource deletions during stack updates. Stack policy is set during the stack creation process.

To set a stack policy when you create a stack (console)

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the CloudFormation Stacks page, choose Create stack.

  3. Upload the following template to provision EC2 instance:

     AWSTemplateFormatVersion: '2010-09-09'
     Resources:
       MyEC2Instance:
         Type: 'AWS::EC2::Instance'
         Properties:
           ImageId: ami-06b09bfacae1453cb  # Specify the desired AMI ID
           InstanceType: t2.micro      # Specify the desired instance type
           Tags:
             - Key: Name
               Value: MyEC2Instance    # Specify the desired name for the instance
    

  1. Specify the stack name:

  2. In Advanced options in Stack Policy upload the following JSON based policy file, which restricts any resource deletion during stack updates:

     {
       "Statement" : [
         {
           "Effect" : "Allow",
           "NotAction" : "Update:Delete",
           "Principal": "*",
           "Resource" : "*"
         }
       ]
     }
    

  3. After stack creation, update the stack by deleting EC2 resource. To delete EC2 resource we need only to rename the logical ID name to MyEC2Instance2. Press Update and upload the following template:

     AWSTemplateFormatVersion: '2010-09-09'
     Resources:
       MyEC2Instance2:
         Type: 'AWS::EC2::Instance'
         Properties:
           ImageId: ami-06b09bfacae1453cb  # Specify the desired AMI ID
           InstanceType: t2.micro      # Specify the desired instance type
           Tags:
             - Key: Name
               Value: MyEC2Instance    # Specify the desired name for the instance
    

Replace the current template:

After initiating the update process, you will see messages appearing in the Events tab indicating the rollback process. The reason for these messages is stack policy permissions:

  1. Now if you try to update the ec2 instance from micro to small type, then the update will be successfully run as the stack policy allows it:

     AWSTemplateFormatVersion: '2010-09-09'
     Resources:
       MyEC2Instance:
         Type: 'AWS::EC2::Instance'
         Properties:
           ImageId: ami-06b09bfacae1453cb  # Specify the desired AMI ID
           InstanceType: t2.small      # Specify the desired instance type
           Tags:
             - Key: Name
               Value: MyEC2Instance    # Specify the desired name for the instance
    

References:

  1. Prevent updates to stack resources

  2. AWS Resources