Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

Prevent Updates to Stack Resources

Important

You must have update permissions for any protected resources that reference updated resources.

After you set a stack policy, all resources in the stack are protected by default, even if you didn't explicitly set a policy for a resource. For any resources that you still want to allow updates on, you must specify an explicit Allow statement.

You can prevent stack resources from being unintentionally updated or deleted during a stack update by using stack policies. Stack policies apply only during stack updates. Use them to prevent accidental updates to stack updates. Do not use stack policies to control access to AWS resources or actions. Instead, use AWS Identity and Access Management (IAM).

By default, all resources in a stack can be updated by anyone with update permissions. However, during an update, some resources might require an interruption or might be completely replaced, which could result in new physical IDs or completely new storage. To ensure that no one inadvertently updates these resources, you can set a stack policy. The stack policy prevents anyone from accidentally updating resources that are protected. If you want to update protected resources, you must explicitly specify those resources during a stack update.

Stack policy overview

Stack policies are JSON documents that define which update actions can be performed on designated resources. You can define only one stack policy per stack; however, you can protect multiple resources within a single policy. Here's a sample stack policy that prevents updates to the ProductionDatabase resource:

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "LogicalResourceId/ProductionDatabase"
    },
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

In the Effect element, we specify Deny and use a wild card (an asterisk) in the Action element to prevent all update actions, such as replacement or deletion. In the Resource element, we specify the resource with the ProductionDatabase logical ID. The Principal element is required but supports only the wild card (*).

Note that when you set a stack policy, all resources are protected by default. Therefore, to allow updates on all other resources, we added an Allow statement that allows all actions on all resources. Even though the Allow specifies all resources, the explicit Deny overrides any allows.

Note

During a stack update, resources that depend on updated resources are automatically updated. AWS CloudFormation makes no changes to the automatically updated resources, but if a stack policy is associated with those resources, you must be permitted to update them. For more information about the depends on attribute, see DependsOn Attribute.

How to apply a stack policy

You can use the console or AWS CLI to apply a stack policy at the time you create a stack. You can also use the AWS CLI to apply a stack policy to a stack that you've already created. After you apply a stack policy, you cannot remove it from the stack; however, you can use the AWS CLI to modify the policy.

Stack policies apply to all users who want to update the stack. In other words, you cannot associate different stack policies with different users.

If you want to allows users to update protected resources, those users must have permission to the SetStackPolicy action. During an update, users can set a stack policy that temporarily overrides the stack policy. For more information, see Updating Protected Resources.

Setting a Stack Policy

When you want to protect stack resources from unintentional updates, you define a stack policy in JSON format and then associate it with a stack when you create or update the stack. For more information about writing stack policies, see Stack Policy Reference. Note that after you apply a stack policy, you cannot remove it from the stack; however, you can always update the policy by using the AWS CLI.

By default, when you create a stack, no stack policy is set on the stack, so you can update any resources. However, after you set a stack policy, all stack resources are protected by default unless you specify an explicit Allow statement for those resources.

To set a stack policy when you create a stack:

AWS Management Console

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

  2. On the CloudFormation Stacks page, click Create Stack.

  3. On the Options screen of the Create Stack wizard, expand the Advanced section.

    Note

    When you create a stack and include a policy, you don't require permission to use the AWS CloudFormation SetStackPolicy action. However, if you want to update the policy or update protected resources, you must have permission to use the SetStackPolicy action.

  4. Select a file that defines a stack policy or enter one.

CLI

To set a stack policy on a stack that has already been created (currently, you can only do this with the AWS CLI):

CLI

Updating Protected Resources

You can update protected resources by lifting their protections with a temporary policy that overrides the stack policy. The temporary policy should allow updates on the resources that you want to update. You specify a temporary policy when you update your stack. Before you begin, you must have permission to use the AWS CloudFormation SetStackPolicy action.

Note

During a stack update, resources that depend on updated resources are automatically updated. AWS CloudFormation makes no changes to the automatically updated resources, but if a stack policy is associated with those resources, you must be permitted to update them.

To update a protected resource:

AWS Management Console

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

  2. Select the stack that you want to update, and then choose Actions and then Update Stack.

  3. On the Policy screen of the Update Stack wizard, select a file that defines an overriding stack policy or enter one. The override policy must specify an Allow for the protected resources that you want to update.

    For example, if you wanted to update all protected resources, you can specify a temporary override that allows all updates:

    {
      "Statement" : [
        {
          "Effect" : "Allow",
          "Action" : "Update:*",
          "Principal": "*",
          "Resource" : "*"
        }  
      ]
    }

    Note

    The override policy is a temporary policy that is applied only during this update and won't permanently change the stack policy. To modify a stack policy, see Modifying a Stack Policy.

AWS CLI

  • Use the aws cloudformation update-stack command with the --stack-policy-during-update-body or --stack-policy-during-update-url option.

    Note

    The override policy is a temporary policy that is applied only during this update and won't permanently change the stack policy. To modify a stack policy, see Modifying a Stack Policy.

Modifying a Stack Policy

In situations where you might want to protect additional resources or where you might not need to protect resources anymore, you can modify a stack policy to add or remove resources. For example, imagine that you added another database to your stack that you want to protect. You can use the AWS CLI to add a deny statement for that resource.

To modify a stack policy (currently, you can only do this with the AWS CLI):

CLI

Remove All Protections

After you set a stack policy, you cannot remove or delete the policy. If you want to remove all protections, you must modify the policy to explicitly allow all actions on all resources. By default a stack policy denies all updates. The following sample policy allows all updates on all resources:

{
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }  
  ]
}

Stack Policy Reference

Stack policies are JSON documents that define which update actions users can do and which resources they can take action on. These permissions are defined in the following elements: Effect, Action, Resource, and Condition. When you create a stack, no stack policy is set by default. In other words, all update actions on all resources are allowed. If you want to protect stack resources, you must set a stack policy. The following pseudo code shows the syntax for a stack policy:

{
  "Statement" : [
    {
      "Effect" : "Deny_or_Allow",
      "Action" : "update_actions",
      "Principal" : "*",
      "Resource" : "LogicalResourceId/resource_logical_ID",
      "Condition" : {
        "StringEquals_or_StringLike" : {
          "ResourceType" : [resource_type, ...]
        }
      }
    }  
  ]
}
Effect

Determines whether the actions that you specify are denied or allowed on the resource that you specify. You can specify only Deny or Allow for this element, as shown in the following snippet:

"Effect" : "Deny"

Important

If a stack policy includes any overlapping statements (a resource that is allowed and denied), a Deny statement always overrides an Allow statement. If you want ensure that a resource is protected, use a Deny statement for that resource.

Action

Specifies the update actions that are denied or allowed. You can specify the following actions:

Update:Modify

Specifies update actions where resources might experience no interruptions or some interruptions while changes are being applied. All resources maintain their physical IDs.

Update:Replace

Specifies update actions where resources are recreated. AWS CloudFormation creates a new resource with the specified updates and then deletes the old resource. Because the resource is recreated, the physical ID of the resource might be different.

Update:Delete

Specifies update actions where resources are removed. Any updates that completely remove resources from a stack template require this action.

Update:*

Specifies all update actions. The asterisk is a wild card that represents all update actions.

The following snippet shows how you can specify just the replace and delete actions:

"Action" : ["Update:Replace", "Update:Delete"]

You can also use a Not with actions. For example, if you wanted to allow all update actions, except for Update:Delete, you can use NotAction, as shown in the following sample:

{
  "Statement" : [
    {
      "Effect" : "Allow",
      "NotAction" : "Update:Delete",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

For more information about stack updates, see AWS CloudFormation Stacks Updates.

Principal

The Principal element is required but supports only the wild card (*).

Resource

Specifies the logical IDs of the resources that the policy applies to. If you want to specify types of resources, use the Condition element.

You can specify a single resource by using its logical ID, as shown in the following snippet:

"Resource" : ["LogicalResourceId/myEC2instance"]

You can also use a wild card with logical IDs. For example, if you prefix the logical IDs of all related resources, you can specify them all with a wild card, as shown in the following snippet:

"Resource" : ["LogicalResourceId/MyPrefix*"]

You can also use a Not with resources. For example, if you wanted to allow updates to all resources, except for one, you can use a NotResource, as shown in the following sample:

{
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "NotResource" : "LogicalResourceId/ProductionDatabase"
    }
  ]
}

When you set a stack policy, any update not explicitly allowed is denied by default. By allowing updates to all resources except for the ProductionDatabase resource, updates to the ProductionDatabase resource are denied.

Conditions

Specifies the resource type that the policy applies to. If you want to specify the logical IDs of specific resources, use the Resource element.

You can specify a resource type such as all Amazon EC2 instances and Amazon RDS DB instances, as shown in the following sample:

{
  "Statement" : [
  {
    "Effect" : "Deny",
    "Principal" : "*",
    "Action" : "Update:*",
    "Resource" : "*",
    "Condition" : {
      "StringEquals" : {
        "ResourceType" : ["AWS::EC2::Instance", "AWS::RDS::DBInstance"]
      }
    }
  },
  {
    "Effect" : "Allow",
    "Principal" : "*",
    "Action" : "Update:*",
    "Resource" : "*"
  }
  ]
}

When you set a stack policy, any update not explicitly allowed is denied by default. The Allow statement grants update permissions to all resources except for Amazon EC2 instances and Amazon RDS DB instances. The Deny statement always overrides any allows.

You can also use a wild card with resource types. For example, you can deny update permissions to all Amazon EC2 resources, such as instances, security groups, and subnets by using a wild card, as shown in the following snippet:

"Condition" : {
  "StringLike" : {
    "ResourceType" : ["AWS::EC2::*"]
  }
}

You must use the StringLike condition when you use wild cards.

Sample Stack Policies

Prevent any updates to all stack resources

In order to prevent updates to all stack resources, the following policy specifies a Deny for all update actions on all resources:

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }  
  ]
}

Prevent updates to a database only

The following policy denies all update actions for the database with the MyDatabase logical ID. To allow updates for all other stack resources, the policy also allows all update actions on all resources. The Allow statement doesn't affect the MyDatabase resource because the Deny statement always overrides any allows.

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "LogicalResourceId/MyDatabase"
    },
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

Another way to achieve the same result is to use the default deny. When you set a stack policy, any update not explicitly allowed is denied by default. The following sample uses a NotResource to allow updates to all resources, except for the ProductionDatabase resource.

{
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "NotResource" : "LogicalResourceId/ProductionDatabase"
    }
  ]
}

By allowing updates to all resources except for the ProductionDatabase resource, updates to the ProductionDatabase resource are denied by default. However, because an explicit deny overrides any allows, you can ensure that a resource is protected by using a Deny statement.

Prevent any updates to all Amazon RDS DB instances

The following policy denies all update actions for the Amazon RDS DB instance resource type. To allow updates for all other stack resources, the policy specifies an allow for all update actions on all resources. The Allow statement does not affect the Amazon RDS DB instance resources because the Deny statement always overrides any allows.

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : ["AWS::RDS::DBInstance"]
        }
      }
    },
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

Prevent replacement updates for an instance

The following policy denies updates that would cause a replacement for the instance with the MyInstance logical ID. To allow updates for all other stack resources, the policy also allows all update actions on all resources. As always, however, the Allow statement doesn't affect the MyInstance resource because the Deny statement always overrides any allows.

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:Replace",
      "Principal": "*",
      "Resource" : "LogicalResourceId/MyInstance"
    },
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

Prevent updates to any nested stacks

The following policy denies all update actions for the AWS CloudFormation stack resource type (nested stacks). To updates for all other stack resources, the policy also allows all update actions on all resources. As always, however, the Allow statement does not affect the AWS CloudFormation stack resources because the Deny statement always overrides any allows.

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : ["AWS::CloudFormation::Stack"]
        }
      }
    },
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}