---
title: No stack policy
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > No stack policy
---

# No stack policy

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Resource Management

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html)

### Description{% #description %}

CloudFormation stacks should have a stack policy to prevent unintended or unauthorized updates to stack resources, protecting critical resources from accidental changes or deployment mistakes.

For Ansible tasks using the `amazon.aws.cloudformation` or `cloudformation` modules, the `stack_policy` property must be defined and set to a valid JSON policy that restricts update actions. Resources missing the `stack_policy` property or with it undefined are flagged. Provide a JSON policy string (or file content) that explicitly denies Update actions for any logical resource IDs you want to protect.

Secure configuration example:

```yaml
- name: Create CloudFormation stack with stack policy
  amazon.aws.cloudformation:
    stack_name: my-stack
    state: present
    template: "{{ lookup('file', 'template.yml') }}"
    stack_policy: |
      {
        "Statement": [
          {
            "Effect": "Deny",
            "Action": "Update:*",
            "Principal": "*",
            "Resource": "LogicalResourceId/MyCriticalResource"
          }
        ]
      }
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create a stack, pass in the template via an URL
  amazon.aws.cloudformation:
    stack_name: ansible-cloudformation
    stack_policy: wowowowoowow
    state: present
    region: us-east-1
    disable_rollback: true
    template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template
    template_parameters:
      KeyName: jmartin
      DiskType: ephemeral
      InstanceType: m1.small
      ClusterSize: 3
    tags:
      Stack: ansible-cloudformation
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: create a stack, pass in the template via an URL
  amazon.aws.cloudformation:
    stack_name: "ansible-cloudformation"
    state: present
    region: us-east-1
    disable_rollback: true
    template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template
    template_parameters:
      KeyName: jmartin
      DiskType: ephemeral
      InstanceType: m1.small
      ClusterSize: 3
    tags:
      Stack: ansible-cloudformation
```