Termination Protection in AWS CloudFormation

Termination Protection in AWS CloudFormation is a feature that helps prevent accidental or undesired deletion of resources managed by a CloudFormation stack. When enabled, Termination Protection adds an additional layer of protection to the resources in a stack, ensuring that they cannot be deleted or modified through CloudFormation without explicitly disabling the protection.

By default, Termination Protection is disabled for CloudFormation stacks, which means that any resources within the stack can be deleted or modified during stack updates or deletions. Enabling Termination Protection is a proactive measure to safeguard critical resources or prevent accidental changes to your infrastructure.

When Termination Protection is enabled for a stack, AWS CloudFormation blocks the deletion of the stack and any resources it manages. This includes preventing updates that could potentially delete or replace resources. Any attempt to delete or modify the stack will result in an error.

You can set termination protection on a stack with any status except DELETE_IN_PROGRESS or DELETE_COMPLETE.

Enabling or disabling termination protection on a stack sets it for any nested stacks belonging to that stack as well. You can't enable or disable termination protection directly on a nested stack. If a user attempts to directly delete a nested stack belonging with a stack that has termination protection enabled, the operation fails and the nested stack remains unchanged.

To enable Termination Protection for a CloudFormation stack, you can use the AWS Management Console, AWS CLI (Command Line Interface), or AWS SDKs (Software Development Kits). The specific steps may vary depending on the chosen method, but typically involve selecting the stack and enabling Termination Protection through the provided options or APIs.

It's important to note that Termination Protection in CloudFormation only applies to resources managed by the stack. It does not protect resources created outside the CloudFormation stack or resources that are not managed by CloudFormation.

While Termination Protection provides an additional safeguard against accidental deletions, it's crucial to exercise caution when using it. Carefully consider the impact of changes or potential resource deletions before enabling or disabling Termination Protection, as it can affect the overall manageability of your infrastructure.

To enable termination protection on an existing stack

  1. Sign in to the AWS Management Console and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/.

  2. Select the stack that you want.

    If NESTED is displayed next to the stack name, the stack is a nested stack. You can only change termination protection on the root stack to which the nested stack belongs.

  3. In the stack details pane, select Stack actions and then Edit termination protection.

    CloudFormation displays the Edit termination protection dialog box.

  4. Choose Activated, and then select Save.

  5. Now if you try to delete the stack, first you have to deactivate Termination Protection:

How to check the status of Termination Protection via AWS CLI

To check if termination protection is enabled for an AWS CloudFormation stack using the AWS CLI, you can use the describe-stacks command and examine the EnableTerminationProtection attribute. Here's how you can do it:

  1. Open your preferred command-line interface or terminal.

  2. Ensure that you have the AWS CLI installed and properly configured with your AWS credentials.

  3. Run the following command, replacing stack-name with the name of your CloudFormation stack:

aws cloudformation describe-stacks --stack-name stack-name --query "Stacks[0].EnableTerminationProtection"

The command will return the value of the EnableTerminationProtection attribute for the specified stack. If termination protection is enabled, the command will return true. If termination protection is disabled, the command will return false.

If the stack exists and termination protection is enabled, the command's output will resemble the following:

true

If the stack doesn't exist or termination protection is disabled, the command's output will resemble the following:

false

By examining the output, you can determine the status of termination protection for the specified CloudFormation stack using the AWS CLI.

How to enable Termination Protection via AWS CLI

To enable termination protection for an AWS CloudFormation stack using the AWS CLI, you can use the update-termination-protection command. Here's how you can do it:

  1. Open your preferred command-line interface or terminal.

  2. Ensure that you have the AWS CLI installed and properly configured with your AWS credentials.

  3. Run the following command, replacing stack-name with the name of your CloudFormation stack:

aws cloudformation update-termination-protection --enable-termination-protection --stack-name <stack-name>

This command will enable termination protection for the specified CloudFormation stack. The --enable-termination-protection option instructs the CLI to enable the termination protection for the stack.

If the command is successful, it will not return any output. However, you can verify the status of termination protection by running the describe-stacks command again:

aws cloudformation describe-stacks --stack-name <stack-name> --query "Stacks[0].EnableTerminationProtection"

The command should now return true, indicating that termination protection is enabled for the stack.

Please note that enabling termination protection will prevent the deletion or update of the stack and its resources through CloudFormation. To disable termination protection, you can use the same update-termination-protection command with the --disable-termination-protection option instead.

Controlling who can change termination protection on stacks

To enable or disable termination protection on stacks, a user requires permission to the cloudformation:UpdateTerminationProtection action. For example, the policy below allows users to enable or disable termination protection on stacks.

For more information on specifying permissions in AWS CloudFormation, see Controlling access with AWS Identity and Access Management.

Example A sample policy that grants permissions to change stack termination protection
{
    "Version":"2012-10-17",
    "Statement":[{
        "Effect":"Allow",
        "Action":[
            "cloudformation:UpdateTerminationProtection"
        ],
        "Resource":"*"
    }]
}

References

  1. Protecting a stack from being deleted

  2. Enable AWS CloudFormation Stack Termination Protection

  3. How to enforce Termination Protection on your CloudFormation Stacks