Use Case for AWS Cloudformation Stacks should have Termination Protection enabled
Quick Links
- Configure AWS Cloudformation Stacks should have Termination Protection enabled
- Use Case for AWS Cloudformation Stacks should have Termination Protection enabled
- Triage Guides by Violation Type
When should I use AWS CloudFormation Stack Termination Protection?
AWS CloudFormation Stacks have a flag named "Termination Protection" which, when enabled, will prevent deletion of the CloudFormation Stack. Note that this will not prevent Stack updates which cause individual resources to be deleted; this only protects against stack-level delete. This flag blocks all stack-level delete operations, regardless of the mechanism of action (CLI, Console, CI/CD, etc).
This is valuable for averting service disruptions and ensuring compliance with data retention policies. It is generally advisable to apply termination protection to all stacks in production environments. Be aware, it cannot fully eliminate accident risks and does not substitute implementing additional measures, such as taking backups of stateful resources and fire drills for outage recovery.