How do I resolve the "Last applied policy cannot be deleted" error in CloudFormation?

Short description

When you try to delete your CloudFormation policies, such as AWS::SQS::QueuePolicy, AWS::S3::BucketPolicy, AWS::SNS::TopicPolicy, and AWS::IAM::Policy you might receive the following error message:

"Last applied policy cannot be deleted. Please delete other policies applied to this resource before deleting the last applied policy."

If you apply one policy and then another policy on the same resource, then the second policy becomes the last applied policy. When you try to delete the second policy, CloudFormation doesn't allow you to delete the policy.

Troubleshoot this issue based one of the following scenarios:

• The stack and policy are in the DELETE_FAILED state.
• You tried to delete the policy resources from different stacks that you applied to the same resource.
• The stack and policy are in the UPDATE_FAILED state.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

The stack and policy are in the DELETE_FAILED state

If you tried to delete a stack and the policy didn't delete, then use the CloudFormation console or AWS CLI to delete the stack again and skip the resource. 

CloudFormation console

Follow the instructions to force delete the stack in Delete a stack from the CloudFormation console.

AWS CLI

Run the following delete-stack command:

aws cloudformation delete-stack --stack-name example-stack-name --retain-resources example-policy-resource-id

Note: Replace example-stack-name with the stack that failed to delete and example-policy-resource-id with the ID of the policy resource that failed to delete.

After you delete the stack again, the resources that you selected to retain don't delete. The status of your stack changes to DELETE_COMPLETE.

Note: To prevent unnecessary charges, manually delete the retained resources when you delete the stack. If you delete the target resource, then the policy resource also gets deleted so you don't need to manually delete the resource.

For more information, see How do I delete an AWS CloudFormation stack that's stuck in DELETE_FAILED status?

You tried to delete policy resources from different stacks that you applied to the same resource

If you applied multiple policies from different stacks to the same resource, then you must delete the first policy that you applied.

For example, you create ExamplePolicyA in example-stack-A and apply the policy to exampleQueue1. Then, you create ExamplePolicyB in example-stack-B and apply the policy to exampleQueue1 with different permissions. When you try to delete ExamplePolicyB, you receive the following error:

"Last applied policy cannot be deleted. Please delete other policies applied to this resource before deleting the last applied policy."

To delete ExamplePolicyB, you must first delete ExamplePolicyA.

Note: It's a best practice to delete previous policies before you create a new policy.

The stack and policy resource are in the UPDATE_FAILED state

If you removed an entity from a policy, then your stack or policy resource might be in the UPDATE_FAILED state. This error occurs because the policy’s attached to or overridden by another AWS::IAM::Policy resource that's defined in a different stack.

To resolve this issue, delete AWS::IAM::Policy resources from other stacks that you applied to the same entity before you try to remove the last applied policy.

Complete the following steps to delete the resource:

1. In the failed stack resource, update the stack template to include DeletionPolicy: Retain in the policy resource type section. 
   Example policy:

   yaml
   MySharedPolicy:
       Type: AWS::IAM::Policy
       DeletionPolicy: Retain # Add this line
       Properties:
       # existing properties remain the same

2. Deploy the updated template with the retention policy.

3. Delete the policy resource from your CloudFormation template.
   Note: Because you added the retention policy, the IAM policy doesn't delete.

4. Update your stack to complete the removal process.
   Note: If you still need the policy resource in this stack, then add the resource back to your template based on the policy from step 1. Then, update the stack with the template to create the resource.

It's a best practice to migrate from AWS::IAM::Policy to AWS::IAM::RolePolicy, AWS::IAM::UserPolicy, or AWS::IAM::GroupPolicy.

If the issue continues or you can't identify the other stacks that contain the policy resource, then clean up and recreate the resource. When you recreate the policy resource, you might receive the "resource already exists" error. To resolve this issue, rename the PolicyName. It's a best practice to manage one policy resource in only one stack.