CloudFormation stacks should have rollback enabled¶

Ensure CloudFormation stacks have the rollback feature enabled. Rollback triggers enable you to have AWS CloudFormation monitor the state of your application during stack creation and updating, and to rollback that operation if the application breaches the threshold of any of the alarms you've specified.

How to fix¶

Attribute disable_rollback of aws_cloudformation_stack must be false.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_cloudformation_stack.

resource "aws_cloudformation_stack" "this" {
  name              = "pofix-example-stack"
  notification_arns = ["arn:aws:sns:us-east-1:123456789012:cloudformation-notifications"]
  template_body     = jsonencode({ AWSTemplateFormatVersion = "2010-09-09", Description = "Empty stack", Resources = { NullResource = { Type = "AWS::CloudFormation::WaitConditionHandle" } } })

  disable_rollback = false
}

Which option should I choose?

Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
Open source module (terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready.
Terraform AWS provider resources: manage Terraform resources directly.

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf (CTF) Control: cloudformation_stack_rollback_enabled
Powerpipe Control: aws_compliance.control.cloudformation_stack_rollback_enabled