{"id":4439,"date":"2021-05-02T16:50:02","date_gmt":"2021-05-02T14:50:02","guid":{"rendered":"http:\/\/miro.borodziuk.eu\/?p=4439"},"modified":"2021-06-28T17:31:35","modified_gmt":"2021-06-28T15:31:35","slug":"cloudformation-8-stack-policies","status":"publish","type":"post","link":"http:\/\/miro.borodziuk.eu\/index.php\/2021\/05\/02\/cloudformation-8-stack-policies\/","title":{"rendered":"CloudFormation – 8 – Stack Policies"},"content":{"rendered":"

<\/p>\n

We have such a yaml template:<\/p>\n

Parameters:\r\n  VPCId:\r\n    Description: VPC to create the security group into\r\n    Type: AWS::EC2::VPC::Id\r\n  \r\n  CidrSSH:\r\n    Type: String\r\n    Default: \"0.0.0.0\/0\"\r\n\r\n  CidrHTTP:\r\n    Type: String\r\n    Default: \"0.0.0.0\/0\"\r\n\r\nResources:\r\n  SSHSecurityGroup:\r\n    Type: \"AWS::EC2::SecurityGroup\"\r\n    Properties:\r\n      GroupDescription: Test Drift SSH Security Group\r\n      SecurityGroupIngress:\r\n        - CidrIp: !Ref CidrSSH\r\n          FromPort: 22\r\n          ToPort: 22\r\n          IpProtocol: tcp\r\n      VpcId: !Ref VPCId\r\n\r\n  CriticalSecurityGroup:\r\n    Type: \"AWS::EC2::SecurityGroup\"\r\n    Properties:\r\n      GroupDescription: Test Drift HTTP Security Group\r\n      SecurityGroupIngress:\r\n        - CidrIp: !Ref CidrHTTP\r\n          FromPort: 80\r\n          ToPort: 80\r\n          IpProtocol: tcp\r\n      VpcId: !Ref VPCId\r\n<\/pre>\n
And a json Stack Policy:<\/p>\n
{\r\n    \"Statement\": [\r\n        {\r\n            \"Effect\": \"Allow\",\r\n            \"Action\": \"Update:*\",\r\n            \"Principal\": \"*\",\r\n            \"Resource\": \"*\"\r\n        },\r\n        {\r\n            \"Effect\": \"Deny\",\r\n            \"Action\": \"Update:*\",\r\n            \"Principal\": \"*\",\r\n            \"Resource\": \"LogicalResourceId\/CriticalSecurityGroup\"\r\n        },\r\n        {\r\n            \"Effect\" : \"Deny\",\r\n            \"Action\" : \"Update:*\",\r\n            \"Principal\": \"*\",\r\n            \"Resource\" : \"*\",\r\n            \"Condition\" : {\r\n              \"StringEquals\" : {\r\n                \"ResourceType\" : [\"AWS::RDS::DBInstance\"]\r\n              }\r\n            }\r\n        }\r\n    ]\r\n}<\/pre>\n
This stack policy which will allow us to update SSHSecurityGroup but update of CriticalSecurityGroup will be denied.<\/p>\n
So lets’s create a stack:<\/p>\n
\"\"<\/p>\n
Next -><\/code><\/p>\n
\"\"<\/p>\n
Next -><\/code><\/p>\n
\"\"<\/p>\n
Next -> Create stack<\/code><\/p>\n
The Stack has been created with stack\u00a0 policy. Now let’s try to update it.<\/p>\n
First we will update CidrSSH subnet:<\/p>\n
\"\"<\/p>\n
Next -> Next ->\u00a0 Update stack<\/code><\/p>\n
And update has finished because stack policy allowed for this.<\/p>\n
\"\"<\/p>\n
Now let’s try to update CidrHTTP:<\/p>\n
\"\"<\/p>\n
Next -> Next -> Update stack<\/p>\n
Update of stack has failed because action was denied by the stack policy.<\/p>\n
\"\"<\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
\n
Read\u00a0more\u00a0here:<\/div>\n
https:\/\/docs.aws.amazon.com\/AWSCloudFormation\/latest\/UserGuide\/protect-stack-resources.html<\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/4439"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=4439"}],"version-history":[{"count":6,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/4439\/revisions"}],"predecessor-version":[{"id":4453,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/4439\/revisions\/4453"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=4439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=4439"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=4439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}