Tear down this lab

If you are attending an in-person workshop and were provided with an AWS account by the instructor:

  • There is no need to tear down the lab. Feel free to continue exploring. Log out of your AWS account when done.

If you are using your own AWS account:

  • You may leave these resources deployed for as long as you want. When you are ready to delete these resources, see the following instructions

Delete S3 Bucket used by canary

The canary (synthetic monitor) puts its run data into an S3 bucket. You need to empty and delete the bucket

  1. Go to the S3 Console
  2. Select the checkbox next to the bucket whose name starts with webserversforresiliencytesting-canarybucket
  3. Click Empty
  4. Follow the directions to empty the bucket
  5. Click Exit
  6. Ensuring the checkbox next to the canary bucket is still selected, click Delete
  7. Follow the directions to delete the bucket

Remove manually provisioned resources

Some resources were created by the failure simulation scripts. If you ran the AZ failure injection You need to remove these.

  1. Go to the Network ACL console
  2. Look at the NACL entries for the VPC called ResiliencyVPC
  3. For any of these NACLs that are not Default do the following
    1. Select the NACL
    2. Actions » Edit subnet associations
    3. Uncheck all boxes and click Edit
    4. Actions » Delete network ACL

Remove AWS CloudFormation provisioned resources

As part of lab setup you have deployed several AWS CloudFormation stacks. These directions will show you:

  • How to delete an AWS CloudFormation stack
  • In what specific order the stacks must be deleted

How to delete an AWS CloudFormation stack

  1. Go to the AWS CloudFormation console: https://console.aws.amazon.com/cloudformation

  2. Select the CloudFormation stack to delete and click Delete


  3. In the confirmation dialog, click Delete stack

  4. The Status changes to DELETE_IN_PROGRESS

  5. Click the refresh button to update and status will ultimately progress to DELETE_COMPLETE

  6. When complete, the stack will no longer be displayed. To see deleted stacks use the drop down next to the Filter text box.


  7. To see progress during stack deletion

    • Click the stack name
    • Select the Events column
    • Refresh to see new events

Delete workshop CloudFormation stacks

  • Since AWS resources deployed by AWS CloudFormation stacks may have dependencies on the stacks that were created before, then deletion must occur in the opposite order they were created
  • Stacks with the same ordinal can be deleted at the same time. All stacks for a given ordinal must be DELETE_COMPLETE before moving on to the next ordinal

Single region

If you deployed the single region option, then delete your stacks in the following order

OrderCloudFormation stack

Multi region

If you deployed the multi region option, then see these instructions for the order in which to delete the CloudFormation stacks

Delete remaining resources

Delete Lambda execution role used to create custom resource

This role was purposely not deleted by the CloudFormation stack, because CloudFormation needs it to delete the custom resource it was used to create. Choose ONE: AWS CLI or AWS Console.

  • Do this step only after ALL CloudFormation stacks are DELETE_COMPLETE

Using AWS CLI:

aws iam delete-role-policy --role-name LambdaCustomResourceRole-SecureSsmForRds --policy-name LambdaCustomResourcePolicy

aws iam delete-role --role-name LambdaCustomResourceRole-SecureSsmForRds

Using AWS Console:

  1. Go to the IAM Roles Console: https://console.aws.amazon.com/iam/home#/roles
  2. Search for SecureSsmForRds
  3. Check the box next to LambdaCustomResourceRole-SecureSsmForRds
  4. Click Delete role button
  5. Click Yes, delete button

Delete Systems Manager parameter

The password(s) for your Amazon RDS instances were stored in AWS Systems Manager secure parameter store. These steps will verify the parameter(s) were deleted, and if not then guide you to deleting them. Choose ONE: AWS CLI or AWS Console.

  • single region You only need to do the following steps in us-east-2
  • multi region Do the following steps for both us-east-2 and us-west-2

Using AWS CLI:

  • The following command will delete the parameter:

      aws ssm delete-parameter --name 300-ResiliencyofEC2RDSandS3

If you get ParameterNotFound then the password was already deleted by the CloudFormation stack (as expected).

Using AWS Console:

  1. Select the region
  2. Wait until ResiliencyVPC CloudFormation stack is DELETE_COMPLETE in the region
  3. Go to the AWS Console for AWS Systems Manager parameter store
  4. Look for the parameter created for your infrastructure. If you used our default values, this will be named 300-ResiliencyofEC2RDSandS3
  5. If it is not present (check all regions you deployed to) then you are finished
  6. If it is present then
    1. Click on the parameter name
    2. Click the Delete button
    3. Click Delete again

Delete FIS experiment templates

  1. Navigate to the FIS console at http://console.aws.amazon.com/fis
  2. For each experiment template created as part of this lab:
    • Select the template
    • Click Actions
    • Select Delete experiment template

Delete FIS service role

  1. Navigate to the AWS Identity and Access Management (IAM) console.
  2. Delete the WALab-FIS-policy IAM policy.
  3. Delete the WALab-FIS-role IAM role.

References & useful resources