AWS Certified Solutions Architect – Professional — Question 803

A company uses an AWS CloudFormation template to deploy an Amazon Elastic Container Service (Amazon ECS) service into a production environment. The template includes an Amazon S3 bucket that is named by using a common prefix with the CloudFormation stack name.

The company uses the same template to create temporary environments for development and continuous integration. Developers can create environments successfully, but they receive errors from CloudFormation when they attempt to delete the environments. The developers often need to delete and recreate stacks with the same names as part of the development and testing process.

Which combination of steps should a solutions architect take to modify the solution to resolve this issue? (Choose two.)

Answer options

• A. Associate an AWS Lambda function with a CloudFormation custom resource to delete all keys that are present in a given S3 bucket. Implement this custom resource as part of the application's CloudFormation template.
• B. Modify the S3 bucket resource in the CloudFormation template by specifying Delete for the DeletionPolicy attribute. Specify the CAPABILITY_DELETE_NONEMPTY capability to process CloudFormation delete operations.
• C. Modify the S3 bucket resource in the CloudFormation template by specifying Retain for the DeletionPolicy attribute. Configure an AWS Config custom rule to run every 24 hours to identify, empty, and delete buckets that are no longer owned by a CloudFormation stack.
• D. Ensure that CloudFormation operations are being invoked by a role that has s3:DeleteObject permissions on all objects in the bucket.
• E. Modify the S3 bucket resource in the CloudFormation template to configure a bucket policy that grants s3:DeleteObject permissions on all objects in the bucket.

Correct answer: A, D

Explanation

CloudFormation cannot delete an Amazon S3 bucket that still contains objects, which causes the stack deletion to fail. To resolve this, a custom resource backed by an AWS Lambda function (Option A) can be implemented to empty the S3 bucket programmatically when a delete stack operation is initiated. Furthermore, the IAM role performing the CloudFormation deletion must be explicitly granted the s3:DeleteObject permission (Option D) to allow the Lambda function or deletion process to remove the objects.