How to prevent CloudFormation stack from being deleted (accidentally)?

Question

CloudFormation stacks are great for automation, however the problem I see with them is how easily they can be deleted, and in turn cascading delete other resources.

I've already found solution to latter problem, it's possible to protect each of resources by modifying it's deletion policy. But how about the stack as a whole? Can it be protected?

Answer 1

They added "Termination Protection" in Sept 2017. You can enable it through the console or through the aws-cli. You can also control if a role can set it or not with the "cloudformation:UpdateTerminationProtection" permission.

Answer 2

I think the only way is to restrict the permission on the IAM Users you use. You can remove the Delete Stack permission from all relevant users.

Answer 3

AFAIK there is no deletion protection available for the stack itself. The best you can do is to use "DeletionPolicy" : "Retain" on a per resource level.

Answer 4

Another way to protect it is to create a wrapper application that manages your stacks and then creates a protection policy around CloudFormation. For example, your wrapper app can have a database model for a stack like this:

String: name -- name of the stack
String: template -- JSON template for the stack
String: createdby -- name of the user that created the stack
Boolean: protected -- true if protected.

This would require all your users to use this application to create/delete a stack and it's a lot of more work to implement than AWS IAM but for some people it may fit the bill.

Hope it helps.