I want to protect the resources in my CloudFormation stack from being deleted or updated. What can I do to make sure that doesn't happen?

To prevent deletion or updates to resources in a CloudFormation stack, you can:

  • Set DeletionPolicy attributes to retain certain resources when the stack is deleted.
  • Enable Termination Protection to prevent the stack from being deleted.
  • Use a stack policy to prevent update actions (modify, replace, or delete) to resources in the stack.
  • Apply IAM policies to allow only certain users to delete or update resources.

Set DeletionPolicy attributes

By default, all resources in a CloudFormation stack are removed when the stack is deleted. To keep or copy certain resources when the stack is deleted, you can set a DeletionPolicy attribute for each resource in the CloudFormation template. For more information on how to use a DeletionPolicy attribute, see DeletionPolicy Attribute.

For an example of how to use a DeletionPolicy attribute to retain a resource when the stack is deleted, see How do I delete an AWS CloudFormation stack but retain some provisioned resources?

Enable Termination Protection

You can enable Termination Protection to prevent users from deleting the CloudFormation stack. By default, Termination Protection is disabled. You can enable this option when you create the stack, and you can update Termination Protection on an existing stack.

To update Termination Protection using the AWS CloudFormation console, see Protecting a Stack From Being Deleted. To update the option using the AWS Command Line Interface (AWS CLI), see update-termination-protection.

Use a stack policy to prevent update actions

By default, all update actions are allowed on any resource in a stack. Update actions include Modify, Replace, and Delete. You can use a stack policy to allow or deny update actions on resources.

Note: After you set any stack policy, all resources in the stack are protected by default, and you must explicitly allow any resource update actions. For more information on using stack policies, see Prevent Updates to Stack Resources.

The following example stack policy prevents all update actions to the MyRoute resource, and allows update actions on all other resources in the stack:

    "Statement" : [
        "Effect" : "Deny",
        "Action" : "Update:*",
        "Principal": "*",
        "Resource" : "LogicalResourceId/MyRoute"
            "Effect" : "Allow",
            "Action" : "Update:*",
            "Principal": "*",
            "Resource" : "*"

Apply IAM policies

If your organization has multiple people or departments that use the same CloudFormation stack, someone unfamiliar with your configuration might make changes that result in significant downstream impact. Be sure to set IAM policies that allow access only for those who need to work with certain AWS resources or services.

For more information on using AWS Identity and Access Management (IAM) to manage access to AWS CloudFormation actions and resources, see Controlling Access with AWS Identity and Access Management.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-10-07

Updated: 2017-12-19