Ensure that a deletion policy, implemented with the DeletionPolicy attribute, is used for your Amazon CloudFormation stacks in order preserve or backup AWS resources when the stacks are deleted. For example, you can retain an Amazon S3 bucket or take a snapshot of an EBS volume so that you can continue to utilize or modify these resource after you delete their stack.
AWS CloudFormation DeletionPolicy attribute has 3 options:
1. Retain - CloudFormation keeps the AWS resource without deleting it or its contents when the stack is deleted and this option can be applied to any resource type. When CloudFormation service completes the stack deletion, the stack state will be "DELETE_COMPLETE" but the resources that are retained will continue to exist within your AWS account and continue to collect charges until you terminate or delete those resources.
2. Snapshot - when this option is used, CloudFormation creates snapshots of the AWS resources that support snapshots before deleting them. Just like the Retain option, the snapshots created with this option will continue to incur AWS charges until you delete them. The Snapshot option can be applied to the following AWS resources:
RDS database clusters
ElastiCache cache clusters
ElastiCache Redis replication groups
3. Delete - CloudFormation deletes the specified AWS resource and all its content if applicable during stack deletion. DeletionPolicy attribute set to Delete can be applied to any AWS resource type.
By default, if the DeletionPolicy attribute is not specified for resources within the stack, AWS CloudFormation deletes those resources. With DeletionPolicy set to Retain or Snapshot, you have the guarantee that your AWS resources are not terminated or deleted and make sure that your data remains intact after stack removal.
Note: As example, this conformity rule demonstrates how to use Retain option for an AWS CloudFormation stack deletion policy to retain an S3 bucket configured for website access after the stack is deleted. To use other two deletion policy options, just replace Retain with Snapshot or Delete within the DeletionPolicy attribute value. The Snapshot option can be used only for AWS resources that support snapshots such as RDS database instances and EBS volumes, while the Delete option can be applied to any resource type.
To determine if your Amazon CloudFormation stacks are using deletion policies, perform the following actions:
Remediation / Resolution
To implement a CloudFormation deletion policy that enables you to retain an AWS resource in the event of a stack deletion, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
AWS CloudFormation Deletion Policy in Use
Risk level: Medium