When making use of CloudFormation Security Hub will generate the following finding if there is no SNS topic for CloudFormation to publish event info to:
CloudFormation.1 CloudFormation stacks should be integrated with Simple Notification Service (SNS)
I've come across two issues with this finding. The first is that the remediation process in the official documentation is quite lengthy and leads to a process involving SNS-backed custom resources. A much more simplified solution is to simply navigate to CloudFormation in the console, select the stack you wish to update and under "Notification options" add the SNS arn or create a new SNS topic.
The second issue is an extension of the first. Suppose you had an SNS topic in a security account and wanted the stacks in other accounts within an organization to publish events to that centralized SNS topic. This is possible (assuming the SNS topic has the appropriate access policy in place) but not through the console - it will not allow you to add an arn from a different account. However, if we run the following in the CLI the CF stack will now publish events to the intended cross-account SNS topic.
aws cloudformation update-stack --stack-name <cf-stack-name> --use-previous-template --notification-arns "<cross-account-sns-arn>" --profile <account-named-profile>
EDIT/ADDITION
The previous CLI command is now also presenting it's own issues. I would think that updating a CloudFormation stack with an SNS notification would be straight forward - and in my original usage it was. However, when trying to remediate the CloudFormation.1 findings for other CF stacks the process has thrown some errors. Specifically, I have a number of stack instances that were created as part of a stackset when using Quick Setup in Systems Manager for OpsCenter and Patch Manager across my organization.
When I run the CLI command I seem to be getting one of a few errors. When trying to update the OpsCenter stack with a notification arn I get the following error:
An error occurred (ValidationError) when calling the UpdateStack operation: Parameters: [QSConfigurationId, QSType, DelegatedAccountId, QSGlobalResourcesRegion] must have values
And when trying to update the PatchPolicy stack I get the error:
An error occurred (InsufficientCapabilitiesException) when calling the UpdateStack operation: Requires capabilities : [CAPABILITY_NAMED_IAM]
For this error I was able to follow the documentation at https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_UpdateStack.html
which in adding "--capabilities CAPABILITY_NAMED_IAM" to the CLI command enabled it to run. HOWEVER, while briefly adding the SNS topic as a Notification option this was soon reversed in a roll-back that was triggered do to an error in the update process for the stack. Specifically the Logical ID: SystemAssociationForScanningPatches failed with the following error:
Resource handler returned message: "Model validation failed (#: 4 schema violations found) #/MaxErrors: failed validation constraint for keyword [pattern] (#/MaxErrors) #/MaxConcurrency: failed validation constraint for keyword [pattern] (#/MaxConcurrency) #/OutputLocation/S3Location: 2 schema violations found (#/OutputLocation/S3Location)" (RequestToken: 0dd0b2ad-e1d9-9255-281e-4f0f49afe6c9, HandlerErrorCode: InvalidRequest)
Suffice to say that updating a stack with a notification arn is no straightforward feat. I would have assumed (incorrectly) that performing this update would not trigger an update on other resources in the stack, but simply add the SNS topic. I'm having difficulty finding any straightforward answers here. So any advice would be useful!
AWS OFFICIALUpdated 2 years ago
