I was managing a large CloudFormation stack in production when an update failed, and the stack got stuck in UPDATE_ROLLBACK_FAILED status. The console showed “Unable to perform this action,” and I couldn’t apply any further updates or rollbacks. After digging into the stack events, I found a few resources that were blocking the rollback entirely. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
When a CloudFormation update fails and CloudFormation attempts to roll back, it sometimes encounters resources that can’t be deleted or reverted. The stack gets stuck in UPDATE_ROLLBACK_FAILED status, leaving you unable to update or delete the stack.
The AWS console displays this error:
Unable to perform this action. The stack [stack-name] is in [UPDATE_ROLLBACK_FAILED] state.
Stack events show failures like:
| Error Type | Description |
|---|---|
| DELETE_IN_PROGRESS | The rollback operation is trying to delete resources |
| DELETE_FAILED | Resource deletion failed, blocking the rollback |
| UPDATE_ROLLBACK_FAILED | The entire rollback operation failed and the stack is stuck |
Why Does This Happen?
- Resource was manually modified — You or another team member changed the resource outside CloudFormation (via console or CLI). When rollback tries to revert it, the state doesn’t match what CloudFormation expects, causing the rollback to fail.
- Deletion dependency blocked — The resource has a dependency preventing deletion. For example, an S3 bucket with objects, an RDS database with snapshots, or an ENI still attached to an EC2 instance.
- IAM permissions removed mid-update — During the update, someone removed IAM permissions from the CloudFormation execution role. The rollback can’t proceed without the necessary permissions to delete resources.
- Resource in different account/region unavailable — For cross-account or cross-region resources, the target resource became unavailable or was deleted, breaking the rollback chain.
The Fix
Use the continue-update-rollback action with --resources-to-skip to skip problematic resources and allow the stack to reach a stable state.
First, identify which resources are blocking the rollback:
# List all failed resources during the UPDATE_ROLLBACK
aws cloudformation describe-stack-events \
--stack-name my-stack \
--query "StackEvents[?ResourceStatus=='UPDATE_FAILED' || ResourceStatus=='DELETE_FAILED']" \
--output table
Once you’ve identified the problematic resources, use their logical IDs and continue the rollback while skipping them:
# Continue rollback, skipping the problematic resources
aws cloudformation continue-update-rollback \
--stack-name my-stack \
--resources-to-skip MyBucket MyFunction OtherResource
How to Run This
- Get the stack name from AWS CloudFormation console or list stacks:
aws cloudformation list-stacks --stack-status-filter UPDATE_ROLLBACK_FAILED - Describe stack events to find the exact resource logical IDs:
aws cloudformation describe-stack-events --stack-name my-stack --query "StackEvents" --output table - Run the continue-update-rollback command with the logical IDs of resources you want to skip
- Monitor the rollback progress:
aws cloudformation describe-stacks --stack-name my-stack --query "Stacks[0].StackStatus" - Wait for the stack status to return to
ROLLBACK_COMPLETEor another stable state
Is This Safe?
Yes, but with caveats. Resources you skip remain in their current state and are no longer managed by CloudFormation—they become “drifted.” You’ll need to manually delete them later or import them back into the stack once you’ve resolved the underlying issue.
Key Takeaway
When a CloudFormation stack gets stuck in UPDATE_ROLLBACK_FAILED, use continue-update-rollback with --resources-to-skip to unblock the stack. Identify the problematic resources first, skip them, and then address the root cause (permissions, dependencies, or manual modifications) before attempting another update.
Have questions or ran into a different CloudFormation issue? Connect with me on LinkedIn or X.