How should I Handle the "AWS service owns ServiceLinkedConfigRule" Deletion Failure in CloudFormation Stacks

I want to delete my AWS Config Conformance-pack CloudFormation stack, but my ServiceLinkedConfigRule, is stuck in DELETE_FAILED status.

Short description

Deleting a Config Conformance-pack CloudFormation stack with ServiceLinkedConfigRule can fail to delete with the following error

An AWS service owns ServiceLinkedConfigRule. You do not have permissions to take action on this rule. (Service: AmazonConfig; Status Code: 400; Error Code: AccessDeniedException; Request ID: {{Request_ID }}; Proxy: null)

This error occurs when attempting to delete an Config Conformance-pack CloudFormation stack that has been deployed as part of deploying conformance pack in the config console.

Resolution

It is never recommended to delete rules or the CloudFormation stack directly from the CloudFormation console for an AWS Config conformance pack, unless there is a drift between the stack and the pack. Doing so can lead to above issue.

The best practices to avoid such issues:

1. Never delete the underlying CloudFormation stack for a conformance pack directly.

2. In order to delete the delete failed cloudformation stack navigate to Config console and select Conformance packs option on the left pane.

3. After landing in Conformance packs option select the deployed conformance packs and click the actions drop down.

4. Once drop down shows list select the delete option. Once delete option selected it will delete the conformance pack and as-well it deletes underlying cloudformation stack which is in delete failed status.

5. If you want to perform above operations from API's and CLI, You can use the below APIs to delete conformance packs:

6. For regular conformance packs, use the DeleteConformancePack API, or you can use below cli command like below to delete conformance pack

   aws configservice delete-conformance-pack --conformance-pack-name example-name

7. For organizational conformance packs (when using the management or delegated administrator account), use the DeleteOrganizationConformancePack API, or you can use the below cli command like below to delete organizational conformance pack

   aws configservice delete-organization-conformance-pack —organization-conformance-pack example-name

Conclusion

When dealing with ServiceLinkedConfigRule deletion failures in CloudFormation stacks, Following these best practices ensures that conformance packs and their associated CloudFormation stacks are managed correctly.