How can the company prevent users from accidentally deleting data in this way?
Modify the CloudFormation templates to add a DeletionPolicy attribute to RDS and EBS resources.
Configure a stack policy that disallows the deletion of RDS and EBS resources.
Modify IAM policies to deny deleting RDS and EBS resources that are tagged with an ג€aws:cloudformation:stack-nameג€ tag.
Use AWS Config rules to prevent deleting RDS and EBS resources.
Explanations:
Adding a DeletionPolicy attribute to RDS and EBS resources in the CloudFormation template allows the company to specify the behavior of these resources upon stack deletion. For example, setting the DeletionPolicy toRetainensures that the resources (e.g., RDS databases, EBS volumes) will not be deleted when the stack is deleted, thus preserving the important data stored in them.
While a stack policy can be used to control actions on a CloudFormation stack, it does not specifically prevent the deletion of resources that are part of that stack. Instead, it controls which actions can be performed on the stack itself. Therefore, it cannot guarantee the retention of data in RDS and EBS resources when a stack is deleted.
Modifying IAM policies to deny deletion of RDS and EBS resources based on specific tags does not directly prevent accidental deletions through CloudFormation. IAM policies govern permissions, but if the CloudFormation stack is deleted, it will still delete resources unless they have a specified DeletionPolicy. This option also assumes proper tagging is consistently applied, which may not be reliable.
AWS Config rules can be set to monitor and enforce compliance for certain AWS resources, but they do not inherently prevent deletions. They are used for governance and compliance tracking rather than for controlling stack resource management during deletion events. Therefore, they do not offer a direct solution for preventing the deletion of data in RDS and EBS resources when a stack is deleted.