I want to ensure that the resources in my AWS CloudFormation stack aren’t accidentally deleted or updated. What can I do to make sure that doesn’t happen?

Resources in a CloudFormation stack are assigned a unique ID when they are created. When a CloudFormation resource is updated or terminated and the associated unique ID for the CloudFormation resource is unknown, the resource usually cannot be recovered.

For example, an update to a production stack that uses a template that was created as a dev/test stack template can cause downtime for applications or servers that depend upon the resources within the production CloudFormation stack, as in the following example, where the production stack template specifies a “NetGateWayID” of “nat-123456” and the dev/test stack template specifies a "NatGatewayId" of "nat-7891011".

Production stack template Dev/Test stack template
MyRoute":
{
      "Type" : "AWS::EC2::Route",
      "Properties" : {
           "DestinationCidrBlock" : "0.0.0.0/0",
           "NatGatewayId" : "nat-123456",
           "RouteTableId" : {"Ref":"MyRouteTable"},
      }
}
MyRoute":
{
      "Type" : "AWS::EC2::Route",
      "Properties" : {
           "DestinationCidrBlock" : "0.0.0.0/0",
           "NatGatewayId " : "nat-7891011",
           "RouteTableId" : {"Ref":"MyRouteTable"},
      }
}

Implement the following best practices to protect resources in CloudFormation from accidental deletion or updates:

Apply stack policies during updates to prevent updates/deletion of important resources

By default, all update actions are allowed on any resources in a stack. You can set IAM policies per-stack, providing granularity for the access provided to other users of your account and resources.

For example, you might create an IAM policy that prevents updates to “MyRoute” and allows updates to all other resources in the stack:

{

    "Statement" : [

        {

        "Effect" : "Deny",

        "Action" : "Update:*",

        "Principal": "*",

        "Resource" : "LogicalResourceId/MyRoute"

        },

        {

            "Effect" : "Allow",

            "Action" : "Update:*",

            "Principal": "*",

            "Resource" : "*"

        }

    ]

}

For more general information about IAM, see Overview of Access Management: Permissions and Policies.

Set the DeletionPolicy attribute of resources specified in stack templates

When you set the DeletionPolicy attribute of resources in a CloudFormation stack, you designate whether deleting a CloudFormation stack deletes all associated resources, or whether deleting a CloudFormation stack triggers automatic snapshots to be taken of supported resources. In this scenario, resources in a stack are preserved even if a stack is accidentally deleted.

Set IAM policies that restrict updates/deletions to specific users

If your organization has multiple people or departments that use the same CloudFormation stack, someone unfamiliar with your configuration might accidentally make changes that result in significant downstream impact. Make sure to set IAM policies that ensure that only those who need to access particular resources and services are able to. The stack policy shown earlier in this article is an example of such a policy.

CloudFormation, resources, accidental update, prevention, retention, policy, IAM, stack template, DeletionPolicy, stack policy


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-10-07