Cleanup instructions

After trying this AWS Built-in solution, you may want to redeploy or remove it completely. In either case, this solution leaves certain resources as-is when you delete the stacks that are deployed. This behavior is working as designed to avoid deleting the history of data collections in your accounts.

You can clean up resources created this AWS Built-in solution to avoid incurring charges for resources created and avoid conflicts while redeploying the stack.

This section provides instructions to clean up the resources created by the AWS Built-in package.

1. Delete the CloudFormation stack

  1. Navigate to the AWS CloudFormation console.
  2. Choose the stack created by the AWS Built-in solution and delete it.
  3. Wait for the DELETE_COMPLETE status to confirm the stack deletion.

2. Delete resources created by the AWS Built-in solution

Automated cleanup (PLEASE REVIEW the manual cleanup steps below for resources that deleted by the automated cleanup)

Establish a session to the management account and run the following command:

cd ${REPO_ROOT}/scripts
python3 cleanup_config.py -C cleanup_config.json

Note-1: The automated cleanup script will not delete all the stacks. You still need to delete the stacks *CloudTrailStack* and *GuardDutyStack* manually (if exists).

Note-2: If you choose pDisableGuardDuty as No (default) during the installation of the solution, you need to delete the guardduty detector in all regions.

Manual cleanup.

In the management account:

  1. Delete the following Amazon S3 buckets.
  • sra-gd-staging-<account-id>-<region>
  • sra-cloudtrail-staging-<account-id>-<region>
  • sra-helper-<account-id>-<region>
  • sra-staging-<account-id>-<regions> # Repeat for all regions where the solution is deployed.
  1. Delete Systems Manager parameters that start with below prefixes. Repeat for all active regions.
  • /sra/regions/
  • /sra/control-tower/
  • /sra/staging-s3-bucket-name
  1. Delete the AWS CloudWatch log groups that start with the following prefixes:
  • /sra/sra-org-trail
  • /aws/lambda/sra-codebuild-project-lambda
  • /aws/lambda/sra-guardduty-codebuild-project-lambda
  1. Delete a build project in AWS CodeBuild that start with the following prefixes.
  • sra-codebuild-project
  1. Delete AWS IAM roles that are listed below.
  • sra-execution

  1. Delete a stack set with name sra-stackset-execution-role.

  2. Delete a stack with follwing stack names:

  • sra-common-prerequisites-staging-s3-bucket
  • *CloudTrailStack*
  • *GuardDutyStack*
  1. Delete GuardDuty detectors in all regions (Only if you choose pDisableGuardDuty as No during the installation of the solution).

In the log archive account:

  1. Delete the following Amazon S3 buckets.
  • sra-guardduty-org-delivery-<account-id>-<region>
  • sra-org-trail-logs-<account-id>-<region>
  1. Delete Systems Manager parameters that start with below prefixes. Repeat for all active regions.
  • /sra/regions/
  • /sra/control-tower/
  1. Delete the AWS CloudWatch log groups that start with the following prefixes:
  • /aws/lambda/sra-ct-s3
  • /aws/lambda/sra-gd-s3
  • /sra/gd/
  1. Delete AWS IAM roles that are listed below.
  • sra-execution

In the audit account:

  1. Delete AWS IAM roles that are listed below.
  • sra-execution