Misconfigured CloudFormation Vulnerability in AWS
Description
AWS CloudFormation is a service that helps deploy instances and services based on pre-defined templates. This is a service that enables infrastructure as code on AWS by deploying services defined in templates as CloudFormation stacks . Using CloudFormation, solution architects and cloud engineers can easily manage infrastructure, accelerate replication and handle deployments with rapid changes to the infrastructure.
Impact
Since CloudFormation touches most services on AWS and the fact that CloudFormation templates can be tailored to suit a wide variety of requirements, the attack surface is significantly high as compared to other AWS services. A poorly crafted template can lead to a misconfigured stack and cause escalated privileges, exposed services, un-logged events and data loss.
Prevention
Data Protection
Dynamic Parameters
If the utilisation of sensitive information in CloudFormation is unavoidable, use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager.
Encryption at rest
To ensure your Cloudformation templates are encrypted when stored on the cloud, enable at-rest encryption for templates stored in S3 buckets or other storage services. Similarly define encryption settings for any data storage systems provisioned by CloudFormation. On S3 this can be done using SSE-S3 or SSE-KMS
Internetwork traffic privacy
AWS CloudFormation service communications are securely encrypted by default between Regions or Availability Zones.
Access Control
AWS Cloudformation requires access controls to be put in place for the resources that are created within the Cloudformation stack as well as for the action that can be taken on Cloudformation itself like viewing stack templates, creating stacks, or deleting stacks. The access controls measures are put in place by IAM and enforced through IAM policies.
In order to allow a user to perform Cloudformation actions, AWS recommends creating an IAM group and adding the users to the group. The group would then need a IAM policy like the one below to allow Cloudformation actions.
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources"
],
"Resource":"*"
}]
}
Further control can be established by using ‘Condition’ property within a policy to manage when the policy will be in effect.
"Condition": {
"ForAllValues:StringEqualsIgnoreCase": {
"cloudformation:TargetRegion": [
"us-east-1",
"eu-west-1"
]
}
}
Users managing Cloudformation stacks would also require access to the resources created within the stacks. Also by default, AWS uses temporary sessions that are generated from user credentials to perform stack operations. Cloudformation and the users using it need not have the same level of permissions.
Therefore it is best to delegate permission to Cloudformation using a service role. But remember if the role includes permissions that the user should not have, you can unintentionally escalate a user’s permissions.
Logging and Monitoring
Enable CloudTrail Logs as CloudTrail provides a record of activities taken place in Cloudformation and will be stored in a S3 bucket.
References
[AWS | CloudFormation Data Protection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-data-protection.html) |
[AWS | CloudFormation Logging](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-api-logging-cloudtrail.html) |
[AWS | CloudFormation Infrastructure Security](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/infrastructure-security.html) |
[AWS | CloudFormation Security Best Practices](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html) |
[AWS | AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) |