Question #949
A developer encountered the following error while deleting an AWS CloudFormation stack:
DELETE_FAILED (The following resource(s) failed to delete: [EC2AppRole78901234].)
What action should the developer take to resolve this error?
Open an AWS support case to escalate the IAM role deletion failure.
Update the CloudFormation template to include a DeletionPolicy attribute for EC2AppRole78901234. Then retry stack deletion.
Modify the CloudFormation template to set the DeletionPolicy for EC2AppRole78901234 to 'Retain'. Delete the stack, then manually remove the role via the IAM console.
Use the AWS CLI to force-delete the stack with the --override-resource-type EC2AppRole78901234 parameter.
Explanation
Answer C is correct because:
1. DeletionPolicy Attribute: The 'Retain' policy prevents CloudFormation from deleting the IAM role during stack deletion, bypassing the immediate failure.
2. Manual Cleanup: After stack deletion, the developer can manually delete the role via the IAM console once dependencies (e.g., attached EC2 instances) are resolved.
Why other options are incorrect:
- A: Escalating to AWS Support is unnecessary unless there's a system-level issue, as IAM role dependencies are user-managed.
- B: Updating the template post-resource creation does not retroactively apply the DeletionPolicy; it only affects new stacks or updates.
- D: AWS CLI does not support a '--override-resource-type' parameter for force-deleting resources during stack deletion.
Key Points:
- Use 'DeletionPolicy: Retain' to retain resources during stack deletion.
- Manually resolve dependencies (e.g., detach IAM roles from instances) before deleting retained resources.
Answer
The correct answer is: C