AWS Setup Guide - Cloud Sweeper

Update Existing CloudFormation Stack

When CloudSweeper adds support for new AWS resources, you may need to update your stack to grant the required permissions. This is a simple process that won't affect your existing configuration.

Your Configuration Won't Change

✓ External ID remains the same
✓ Role ARN remains the same
✓ Trust relationship remains intact
✓ No reconfiguration needed in CloudSweeper

Fastest Option 1: AWS CLI (One Command)

Run this command in your terminal or AWS CloudShell:

aws cloudformation update-stack \
  --stack-name CloudSweeper \
  --template-url https://cloudsweeper-cf-templates.s3.amazonaws.com/cloudsweeper.yaml \
  --capabilities CAPABILITY_NAMED_IAM

Option 2: AWS Console

Go to AWS CloudFormation Console
Select your CloudSweeper stack
Click Update button (top right)
Select Replace current template
Choose Amazon S3 URL and enter: https://cloudsweeper-cf-templates.s3.amazonaws.com/cloudsweeper.yaml
Click Next (keep existing parameters unchanged)
Click Next again (stack options)
Check: "I acknowledge that this template may create IAM resources"
Click Update stack
Wait for status: UPDATE_COMPLETE (1-2 minutes)

What Actually Changes:

Only the IAM policy permissions are updated. The role name, trust relationship, and all existing permissions remain intact. New permissions are simply added to support additional AWS resource types.

Troubleshooting

Stack not found?

Make sure you're in the correct AWS region. CloudFormation stacks are regional. Check the region selector in the top-right of the AWS Console.

UPDATE_ROLLBACK_COMPLETE error?

The update failed and was rolled back. Check the Events tab in CloudFormation for the specific error. Common causes: insufficient IAM permissions, or the template URL is inaccessible.

InsufficientCapabilities error?

You forgot to check the IAM acknowledgment checkbox. Go back and ensure you check "I acknowledge that this template may create IAM resources".

Access Denied when running CLI command?

Your AWS CLI credentials need permissions to update CloudFormation stacks and IAM roles. Try using AWS CloudShell instead, which uses your console credentials.

ValidationError: Parameters [CustomerEmail, ExternalId] must have values?

The CloudFormation template requires these parameters. When updating via CLI, you must provide your current parameter values. Get them from your CloudSweeper Settings page and add to the command:

aws cloudformation update-stack \
  --stack-name CloudSweeper \
  --template-url https://cloudsweeper-cf-templates.s3.amazonaws.com/cloudsweeper.yaml \
  --parameters ParameterKey=CustomerEmail,ParameterValue=YOUR_EMAIL ParameterKey=ExternalId,ParameterValue=YOUR_EXTERNAL_ID \
  --capabilities CAPABILITY_NAMED_IAM

Stack name is different?

If your stack has a different name (e.g., CloudSweeper-Production), replace CloudSweeper in the CLI command with your actual stack name.

Security Notes

The IAM role only allows CloudSweeper to read and tag resources, never delete
External ID is used for secure cross-account access (never share it publicly)
CloudSweeper's AWS Account ID is 811740411929
You can review all permissions in the CloudFormation template

Advanced: Manual Setup (if not using one-click)

Note: Most users should use the one-click setup in the Settings page. This manual guide is for advanced users who prefer full control over the deployment process.

1. Deploy the CloudFormation Template

Sign in to the AWS Console
Open CloudFormation service
Click Create stack > With new resources (standard)
Choose Upload a template file
Upload the cloudsweeper.yaml template
Click Next
Enter stack name: CloudSweeper
Enter VendorAccountId: 811740411929
Enter ExternalId: Your External ID from CloudSweeper Settings
Enter CustomerEmail: Your email address
Click Next twice, acknowledge IAM creation, then Create stack

2. Retrieve the Role ARN

Wait for stack status: CREATE_COMPLETE
Click the Outputs tab
Copy the RoleArn value
Paste it into CloudSweeper Settings

AWS CloudFormation Guide