AWS Security ChangesHomeSearch

AWS AWSCloudFormation high security documentation change

Service: AWSCloudFormation · 2026-07-10 · Security-related high

File: AWSCloudFormation/latest/UserGuide/protect-stack-resources.md

Summary

Updated guidance on using stack policies to protect resources, replacing NotResource with explicit Deny statements and adding warnings about unreliable protection methods

Security assessment

The changes explicitly warn that using NotResource with Allow effect doesn't reliably prevent resource updates due to CloudFormation's dual evaluation of logical IDs and resource types. This could lead to unintended modifications of protected resources. The addition of explicit Deny examples provides secure alternatives to prevent unauthorized updates.

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/protect-stack-resources.md b/AWSCloudFormation/latest/UserGuide/protect-stack-resources.md
index e0114bffa..7052c0698 100644
--- a//AWSCloudFormation/latest/UserGuide/protect-stack-resources.md
+++ b//AWSCloudFormation/latest/UserGuide/protect-stack-resources.md
@@ -163 +163 @@ You can use a wild card with logical IDs. For example, if you use a common logic
-You can also use a `Not` element with resources. For example, to allow updates to all resources except for one, use a `NotResource` element to protect that resource:
+You can also use a `NotResource` element to allow updates to all resources except for those you specify. However, using `NotResource` with `Effect: Allow` does not reliably prevent updates to the excluded resources. To protect a specific resource from updates, use an explicit `Deny` statement instead, as shown in the following example:
@@ -167,0 +168,6 @@ You can also use a `Not` element with resources. For example, to allow updates t
+        {
+          "Effect" : "Deny",
+          "Action" : "Update:*",
+          "Principal": "*",
+          "Resource" : "LogicalResourceId/ProductionDatabase"
+        },
@@ -172 +178 @@ You can also use a `Not` element with resources. For example, to allow updates t
-          "NotResource" : "LogicalResourceId/ProductionDatabase"
+          "Resource" : "*"
@@ -177,2 +182,0 @@ You can also use a `Not` element with resources. For example, to allow updates t
-When you set a stack policy, any update not explicitly allowed is denied. By allowing updates to all resources except for the `ProductionDatabase` resource, you deny updates to the `ProductionDatabase` resource.
-
@@ -423 +427,3 @@ The following policy denies all update actions on the database with the `MyDatab
-You can achieve the same result as the previous example by using a default denial. When you set a stack policy, CloudFormation denies any update that is not explicitly allowed. The following policy allows updates to all resources except for the `ProductionDatabase` resource, which is denied by default.
+###### Avoid using NotResource to protect resources
+
+Consider using a `NotResource` element with `Effect: Allow` to protect a resource through default denial, as in the following example:
@@ -437 +443 @@ You can achieve the same result as the previous example by using a default denia
-###### Important
+This policy does _not_ reliably prevent updates to the `ProductionDatabase` resource. AWS CloudFormation evaluates stack policies against both the logical resource ID and the resource type independently. A default denial blocks an update only when both evaluations result in a denied status. Because this policy excludes only the logical resource ID from the `Allow` statement, the resource type remains implicitly allowed. AWS CloudFormation then permits the update.
@@ -439 +445 @@ You can achieve the same result as the previous example by using a default denia
-There is risk in using a default denial. If you have an `Allow` statement elsewhere in the policy (such as an `Allow` statement that uses a wildcard), you might unknowingly grant update permission to resources that you don't intend to. Because an explicit denial overrides any allow actions, you can ensure that a resource is protected by using a `Deny` statement.
+Always use an explicit `Deny` statement to protect resources, as shown in the previous example.