How do I resolve the "Last applied policy cannot be deleted" error in CloudFormation?

Short description

When you try to delete your CloudFormation stack or policy resources, such as AWS::SQS::QueuePolicy, AWS::S3::BucketPolicy, and AWS::SNS::TopicPolicy, you might receive the following error:

"Last applied policy cannot be deleted. Please delete other policies applied to this resource before deleting the last applied policy."

If you apply one policy after another policy on the same resource, then the second policy becomes the last applied policy. When you try to delete the second policy, Cloudformation doesn't allow you to delete the policy.

Troubleshoot this error based on the following scenarios:

• The stack and policy resource are in the DELETE_FAILED state.
• The policy resource is deleted when there are other policy resources that other stacks deployed.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

The stack and policy resource are in the DELETE_FAILED state

If you tried to delete a stack and the policy resource didn't delete, then try to delete the stack again and skip the resource. To resolve a stack and policy that are in the DELETE_FAILED state, take one of the following actions:

• Open the CloudFormation console, and then choose Delete stack. In the You may retain resources that are failing to delete pop-up window, under Resources to retain, select the policy resource.
• Run the following AWS CLI command:

Note: Replace example-stack-name with the stack that failed to delete. Replace example-policy-resource-id with the ID of the policy resource that failed to delete.

aws cloudformation delete-stack example-stack-name --retain-resources example-policy-resource-id

 When you complete one of the preceding actions and try to delete the stack again, the resources that you selected to retain aren't deleted. The status of your stack changes to DELETE_COMPLETE.

Note: To prevent unnecessary charges, manually delete the retained resources when you delete the stack. If the resource that you applied the policy to is deleted, then you don't need to manually delete the resources. The policy resource is deleted when you delete the target resource.

For more information, see How do I delete an AWS CloudFormation stack that's stuck in DELETE_FAILED status?

Delete policy resources from different stacks that you applied to the same resource

If you applied multiple policies from different stacks to the same resource, then you must delete the first policy that you applied.

For example, you create ExamplePolicyA in example-stack-A and apply the policy to exampleQueue1. Then, you create ExamplePolicyB in example-stack-B and apply the policy to exampleQueue1 with different permissions.

When you try to delete ExamplePolicyB, you receive the following error:

"Last applied policy cannot be deleted. Please delete other policies applied to this resource before deleting the last applied policy."

To delete ExamplePolicyB, you must first delete ExamplePolicyA.

Note: It's a best practice to delete previous policies before you create a new policy.