Views:
If you have a specific stack version and try to remove the Cloud Sentry stack from your AWS account, you may encounter the DELETE_FAILED at StackResourceCleanerCustom with AccessDenied error preventing removal of the stack. Although this issue was fixed in the latest version of the Sentry stack, you might still experience it if you are on the previous stack. You can troubleshoot it as follows:
  1. In AWS CloudFormation, navigate to Stacks StackSet-SentrySetNNN-NNN Events. Notice that Status is displayed as DELETE_FAILED with Status reason StackResourceBucketCleanerCustom AccessDenied.
  2. Select Resources and enter StackResourceBucket in the search field.
  3. Locate both StackResourceBucketCleanerLambdaRole and StackResourceBucketLogsCleanerLambdaRole under Logical ID.
  4. Under Physical ID, click the arrow icon corresponding to both physical IDs to access their IAM role definitions.
  5. In IAM Roles Permissions Permission policies, select NNN-StackResourceBucketLogsCleanerFunction permission under Policy name.
  6. Use the Policy editor to add the following necessary permissions to enable the list s3 version:
    "Statement": [
    {
        "Action": [
            ...
            "s3:ListBucketVersions",
            "s3:GetObjectVersion",
            "s3:GetBucketVersioning"
        ],
        ...
  7. Click Next.
  8. On Review and save, click Save changes.
  9. If the error occurs in other regions, replicate the same changes in the corresponding regions.
  10. In Stacks, select the parent stack and click Delete to initiate the removal of all stacks, including the SentrySet stack, across all deployed regions.
  11. In the Delete stack? dialog, click Delete without selecting any offered options. This removes all stacks and resources, including s3 buckets and StackResourceCleanerCustom deployed for Sentry.