- Robert Boscacci/
- Projects/
- Certification: AWS DevOps Pro/
- 2: Configuration Mgmt / Infrastructure as Code/
- 2: CloudFormation/
- 4: CloudFormation Stack Protection/
4: CloudFormation Stack Protection
·1 min
Table of Contents
How do we prevent accidental stack deletion/updates?
- Termination protection
- Stack-level policies
- Resource-level policies
- IAM Policies
Termination Protection
- Enable when creating the stack
- Delete actions will be denied
- Protection flows from parent stack to child stax
- You can just turn off protection to delete the stacc
IAM Policies
- Same as everywhere else:
- Make groups (admins, lead devs)
- Define roles (permission boundaries)
- Assign roles to groups
Deletion Policies
- Preserve or back up individual resources when stack deleted
Stack-Level Policies
- JSON doc defining resources AWS CloudFormation can update during stack ops (create, update, and delete)
- Prevent updates that would delete or replace certain critical resources
- Example stack-level policy:
{
"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "LogicalResourceId/MyDBInstance"
},
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
}
]
}