Which combination of steps should a solutions architect take to modify the solution to resolve this issue?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company uses an AWS CloudFormation template to deploy an Amazon Elastic Container Service (Amazon ECS) service into a production environment.The template includes an Amazon S3 bucket that is named by using a common prefix with the CloudFormation stack name.The company uses the same template to create temporary environments for development and continuous integration.Developers can create environments successfully, but they receive errors from CloudFormation when they attempt to delete the environments.The developers often need to delete and recreate stacks with the same names as part of the development and testing process.

Which combination of steps should a solutions architect take to modify the solution to resolve this issue?

(Choose two.)

Associate an AWS Lambda function with a CloudFormation custom resource to delete all keys that are present in a given S3 bucket. Implement this custom resource as part of the application’s CloudFormation template.

Modify the S3 bucket resource in the CloudFormation template by specifying Delete for the DeletionPolicy attribute. Specify the CAPABILITY_DELETE_NONEMPTY capability to process CloudFormation delete operations.

Modify the S3 bucket resource in the CloudFormation template by specifying Retain for the DeletionPolicy attribute. Configure an AWS Config custom rule to run every 24 hours to identify, empty, and delete buckets that are no longer owned by a CloudFormation stack.

Ensure that CloudFormation operations are being invoked by a role that has s3:DeleteObject permissions on all objects in the bucket.

Modify the S3 bucket resource in the CloudFormation template to configure a bucket policy that grants s3:DeleteObject permissions on all objects in the bucket.

Explanations:

By using an AWS Lambda function with a CloudFormation custom resource to delete all keys in the S3 bucket, it can ensure the bucket is emptied before deletion, resolving the issue when developers attempt to delete the stack.

The DeletionPolicy attribute only affects the lifecycle of the resource (such as whether it’s retained or deleted). Using CAPABILITY_DELETE_NONEMPTY does not change the fact that the bucket cannot be deleted if it contains objects.

Retaining the S3 bucket and using a custom AWS Config rule would complicate the cleanup process and is not directly relevant to solving the issue of deleting objects during stack deletion.

Ensuring that the CloudFormation role has s3permissions on all objects in the bucket allows CloudFormation to delete objects in the S3 bucket, which resolves the issue of not being able to delete the stack due to objects in the bucket.

A bucket policy with s3permissions on all objects would not directly solve the issue during stack deletion, as CloudFormation requires appropriate role permissions, not just a bucket policy.

2025-10-21

1 Comment

  1. Anna
    Author

    I figure that the answer is:
    Associate an AWS Lambda function with a CloudFormation custom resource to delete all keys that are present in a given S3 bucket. Implement this custom resource as part of the application’s CloudFormation template.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + thirteen =