Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

Protecting a Stack From Being Deleted

You can prevent a stack from being accidently deleted by enabling termination protection on the stack. If a user attempts to delete a stack with termination protection enabled, the deletion fails and the stack--including its status--remains unchanged. You can enable termination protection on a stack when you create it. Termination protection on stacks is disabled by default. After creation, you can set termination protection on a stack whose status is CREATE_COMPLETE, UPDATE_COMPLETE, or UPDATE_ROLLBACK_COMPLETE.

Enabling or disabling termination protection on a stack sets it for any nested stacks belonging to that stack as well. You cannot enable or disable termination protection directly on a nested stack. If a user attempts to directly delete a nested stack belonging with a stack that has termination protection enabled, the operation fails and the nested stack remains unchanged.

However, if a user performs a stack update that would delete the nested stack, AWS CloudFormation deletes the nested stack accordingly.

Termination protection is different than disabling rollback. Termination protection applies only to attempts to delete stacks, while disabling rollback applies to auto rollback when stack creation fails.

To enable termination protection when creating a stack

To enable or disable termination protection on an existing stack

  1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/. Select the stack that you want.

    Note

    If NESTED is displayed next to the stack name, the stack is a nested stack. You can only change termination protection on the root stack to which the nested stack belongs.

  2. Choose Actions and then Change Termination Protection.

    CloudFormation displays Enable Termination Protection or Disable Termination Protection, based on the current termination protection setting for the stack.

  3. Choose Yes, Enable or Yes, Disable.

To enable or disable termination protection on a nested stack

If NESTED is displayed next to the stack name, the stack is a nested stack. You can only change termination protection on the root stack to which the nested stack belongs. To change termination protection on the root stack:

  1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/. Select the nested stack that you want.

  2. On the Overview tab, click the stack name listed as Root stack.

  3. Choose Other Actions and then choose Change Termination Protection.

    CloudFormation displays Enable Termination Protection or Disable Termination Protection, based on the current termination protection setting for the stack.

  4. Choose Yes, Enable or Yes, Disable.

To enable or disable termination protection using the command line

Controlling Who Can Change Termination Protection on Stacks

To enable or disable termination protection on stacks, a user requires permission to the cloudformation:UpdateTerminationProtection action. For example, the policy below allows users to enable or disable termination protection on stacks.

For more information on specifying permissions in AWS CloudFormation, see Controlling Access with AWS Identity and Access Management.

Example A sample policy that grants permissions to change stack termination protection

Copy
{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "cloudformation:UpdateTerminationProtection" ], "Resource":"*" }] }