For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-stack-notifications-disabled.md. A documentation index is available at /llms.txt.

Stack notifications disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-stack-notifications-disabled

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Observability

Learn More

Description

CloudFormation stacks should send notifications for stack events so operators are promptly alerted to failed or unexpected stack creations, updates, or deletions.

For AWS::CloudFormation::Stack resources, Properties.NotificationARNs must be defined and set to a list of SNS topic ARNs (or CloudFormation references to AWS::SNS::Topic resources) so events are forwarded to your alerting channels. Resources missing NotificationARNs, or configured with an empty list, will be flagged because lack of notifications delays detection of provisioning failures and security-relevant changes.

Configure NotificationARNs with explicit ARNs or Ref/GetAtt to SNS topics to ensure reliable delivery. For example:

NotificationTopic:
  Type: AWS::SNS::Topic

MyStack:
  Type: AWS::CloudFormation::Stack
  Properties:
    TemplateURL: https://s3.amazonaws.com/example/template.yml
    NotificationARNs:
      - !Ref NotificationTopic

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myStackWithParams:
    Type: AWS::CloudFormation::Stack
    Properties:
      NotificationARNs:
        - "String"
      TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template
      Parameters:
        InstanceType: t1.micro
        KeyName: mykey

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myStackWithParams": {
      "Type": "AWS::CloudFormation::Stack",
      "Properties": {
        "NotificationARNs": [
          "string"
        ],
        "TemplateURL": "https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template",
        "Parameters": {
          "InstanceType": "t1.micro",
          "KeyName": "mykey"
        }
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myStackWithParams:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template
      Parameters:
        InstanceType: t1.micro
        KeyName: mykey

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myStackWithParams": {
      "Type": "AWS::CloudFormation::Stack",
      "Properties": {
        "TemplateURL": "https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template",
        "Parameters": {
          "InstanceType": "t1.micro",
          "KeyName": "mykey"
        }
      }
    }
  }
}