CloudFormation Stack Termination Protection
Overview
This check verifies that AWS CloudFormation stacks have termination protection enabled. Termination protection is a safeguard that prevents a stack from being accidentally deleted. When enabled, any attempt to delete the stack will fail until protection is explicitly disabled.
This check applies to root stacks only. Nested stacks inherit termination protection from their parent and cannot be configured independently.
Risk
Without termination protection:
- Accidental deletion: A simple click or typo could destroy your entire infrastructure
- Malicious deletion: An attacker with delete permissions could wipe out critical resources
- Automation errors: Scripts or CI/CD pipelines with bugs could unintentionally remove stacks
- Service outages: Deleted stacks mean immediate downtime for dependent applications
- Data loss: Resources managed by the stack may be permanently lost if no backups exist
Enabling termination protection adds a deliberate two-step process to delete a stack, reducing the chance of unintended destruction.
Remediation Steps
Prerequisites
You need permission to modify CloudFormation stacks. Specifically, you need the cloudformation:UpdateTerminationProtection permission.
AWS Console Method
- Open the AWS CloudFormation console
- In the left navigation, click Stacks
- Select the stack you want to protect (click the radio button next to it)
- Click Stack actions in the top-right area
- Select Edit termination protection
- In the dialog, choose Enabled
- Click Save
You should see a confirmation message, and the stack's termination protection status will update.
AWS CLI (optional)
Use the following command to enable termination protection on a stack:
aws cloudformation update-termination-protection \
--stack-name <your-stack-name> \
--enable-termination-protection \
--region us-east-1
Replace <your-stack-name> with the name of your CloudFormation stack.
Example:
aws cloudformation update-termination-protection \
--stack-name my-production-stack \
--enable-termination-protection \
--region us-east-1
Expected output:
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-production-stack/abc12345-1234-5678-abcd-1234567890ab"
}
To verify the change:
aws cloudformation describe-stacks \
--stack-name my-production-stack \
--region us-east-1 \
--query "Stacks[0].EnableTerminationProtection"
This should return true.
CloudFormation (optional)
When creating a new stack via CloudFormation, you cannot enable termination protection within the template itself. Instead, you enable it when deploying the stack using the AWS CLI or console.
Using AWS CLI to create a stack with termination protection:
aws cloudformation create-stack \
--stack-name my-new-stack \
--template-body file://template.yaml \
--enable-termination-protection \
--region us-east-1
For existing stacks deployed via CloudFormation:
Use the update-termination-protection command shown in the CLI section above.
Best practice: Combine termination protection with a stack policy to prevent accidental updates to critical resources:
{
"Statement": [
{
"Effect": "Allow",
"Action": "Update:*",
"Principal": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": ["Update:Replace", "Update:Delete"],
"Principal": "*",
"Resource": "LogicalResourceId/CriticalDatabase"
}
]
}
Terraform (optional)
If you manage CloudFormation stacks through Terraform, use the aws_cloudformation_stack resource with disable_rollback protection. Note that Terraform does not directly expose enable_termination_protection for the aws_cloudformation_stack resource.
Alternative approach using AWS CLI via Terraform:
You can use a null_resource with a local-exec provisioner to enable termination protection after stack creation:
resource "aws_cloudformation_stack" "example" {
name = "my-production-stack"
template_body = file("${path.module}/template.yaml")
# Other configuration...
}
resource "null_resource" "enable_termination_protection" {
depends_on = [aws_cloudformation_stack.example]
provisioner "local-exec" {
command = <<-EOT
aws cloudformation update-termination-protection \
--stack-name ${aws_cloudformation_stack.example.name} \
--enable-termination-protection \
--region us-east-1
EOT
}
}
Note: If you are using Terraform to manage infrastructure directly (not via CloudFormation), consider using Terraform's own state locking and workspace protection features instead.
Verification
After enabling termination protection, verify it is active:
- Go to the CloudFormation console
- Click on your stack name to open its details
- Look for Termination protection in the stack info section
- Confirm it shows Enabled
CLI verification
aws cloudformation describe-stacks \
--stack-name <your-stack-name> \
--region us-east-1 \
--query "Stacks[0].{StackName: StackName, TerminationProtection: EnableTerminationProtection}"
Expected output:
{
"StackName": "my-production-stack",
"TerminationProtection": true
}
Additional Resources
- Protecting a Stack from Being Deleted - AWS Documentation
- AWS CloudFormation Best Practices
- Prevent Updates to Stack Resources - Stack Policies
Notes
- Root stacks only: Termination protection applies to root stacks. Nested stacks automatically inherit protection from their parent stack.
- Does not prevent updates: Termination protection only blocks deletion. To prevent accidental updates, use a stack policy.
- Can be disabled: Users with the
cloudformation:UpdateTerminationProtectionpermission can disable protection. Use IAM policies to restrict this permission in production environments. - DeletionPolicy complement: For critical data resources (like databases), also set
DeletionPolicy: Retainin your templates so resources are preserved even if the stack is deleted.