CloudFormation is an extremely useful service that has been maturing quite a bit recently. It essentially lets you write code that is then translated into AWS resources, allowing you to easily spin up and down your resources and track those resources from a central location. CloudFormation seems to suffer from some of the same issues regular source code does, including hardcoded secrets, overly permissive deployments, and more, which we will cover here.

There are many things to look at when pentesting CloudFormation. The following list is what we will cover in this section:

• Stack parameters
• Stack output values
• Stack termination protection
• Deleted stacks
• Stack exports
• Stack templates
• Passed roles

For this section, we have spun up a simple LAMP stack, based off the simple LAMP stack CloudFormation sample template, but with a few modifications.

The first thing we are going to want to do is use the CloudFormation DescribeStacks API to gather some information on the stacks across each region. Again, these APIs are per-region, so they may need to be run across each region to ensure that all stacks are discovered. We can do this by running the following AWS CLI command:

aws cloudformation describe-stacks --region us-west-2

The nice thing about this command is that it will return multiple things we want to look at for each stack.