CloudFormation stack has termination protection enabled
cloudformation_stacks_termination_protection_enabled
AWS CloudFormation root stacks are evaluated for termination protection. The detection identifies whether termination protection is enabled to block stack deletions on non-nested stacks.
Risk
Without termination protection, human error or automation can delete entire stacks, causing immediate availability loss and potential data destruction of managed resources.
Attackers with delete rights can more easily trigger outages and hinder recovery.
prowler aws --checks cloudformation_stacks_termination_protection_enabled
Recommendation
Enable termination protection on root stacks for critical workloads. Enforce least privilege on who can alter this setting or delete stacks, require change review via change sets, and apply stack policies plus DeletionPolicy: Retain for data stores for defense in depth.
Remediation
aws cloudformation update-termination-protection --stack-name <STACK_NAME> --enable-termination-protection
- Open the AWS CloudFormation console
- Select the target stack
- Choose Stack actions > Edit termination protection
- Select Enable and Save
Source Code
Resource Type
AwsCloudFormationStack