This guide provides step-by-step instructions for removing resources deployed by the AI/ML Security Assessment framework.
Before deleting any stacks, record the S3 bucket names from the stack outputs. After a stack is deleted, its outputs are no longer available.
The deployment creates two kinds of buckets:
AssessmentBucket output from the stack you deployed manually, such as aiml-security-single-account or aiml-security-multi-account.AssessmentBucketName output from the auto-created SAM stacks, such as aiml-sec-{account_id}, aiml-security-{account_id}, or aiml-security-mgmt. These buckets use DeletionPolicy: Retain, so they remain after the SAM assessment stack is deleted and must be deleted manually if you want a full cleanup.For a clean removal, delete resources in this order:
The buckets created by this framework are versioned. A recursive aws s3 rm removes current objects, but versioned buckets can still contain noncurrent versions and delete markers. Use the following helper to remove current objects, noncurrent versions, delete markers, and then the bucket.
This command requires jq.
BUCKET_NAME="<bucket-name>"
aws s3 rm "s3://${BUCKET_NAME}" --recursive
while true; do
delete_payload=$(aws s3api list-object-versions \
--bucket "${BUCKET_NAME}" \
--output json \
| jq '{Objects: (((.Versions // []) + (.DeleteMarkers // [])) | map({Key, VersionId}) | .[0:1000])}')
object_count=$(echo "${delete_payload}" | jq '.Objects | length')
if [ "${object_count}" -eq 0 ]; then
break
fi
aws s3api delete-objects \
--bucket "${BUCKET_NAME}" \
--delete "${delete_payload}"
done
aws s3 rb "s3://${BUCKET_NAME}"
Repeat this for each infrastructure and assessment bucket you want to remove.
To remove all resources deployed for single-account assessment:
aiml-sec-{account_id} stack (for example, aiml-sec-123456789012)AssessmentBucketName valueaiml-security-single-account stack (or your custom stack name)AssessmentBucket valueAssessmentBucketName bucket from the SAM assessment stack.AssessmentBucket is not empty, empty and delete that bucket, then retry stack deletion.To remove all resources deployed for multi-account assessment:
aiml-security-{account_id} stack (for example, aiml-security-123456789012)aiml-security-mgmtAssessmentBucketName value# Assume role in member account and delete stack
aws cloudformation delete-stack --stack-name aiml-security-<account_id> \
--region <deployment-region>
aiml-security-multi-account stack, or the custom stack name you choseAssessmentBucket valuedeployment/1-aiml-security-member-roles.yaml (for example, aiml-security-member-roles, or your custom StackSet name)AssessmentBucketName bucket from the per-account SAM assessment stacks.AssessmentBucket is not empty, empty and delete that bucket, then retry stack deletion.To find likely assessment buckets:
aws s3 ls | grep aiml-security
The deployment creates multiple AWS CloudFormation stacks. Here’s how to identify them:
| Stack Type | How to Identify | Action |
|---|---|---|
| Infrastructure Stack (yours) | The name you chose (for example, aiml-security-single-account) |
Delete after assessment stacks |
| Assessment Stack (auto-generated) | aiml-sec-{account_id} (single) or aiml-security-{account_id} (multi) |
Delete before the infrastructure stack |
Quick Check: If you see a stack name starting with aiml-sec- or aiml-security- followed by numbers (or aiml-security-mgmt), that’s an auto-generated assessment stack.
AWS Lambda and AWS CodeBuild create Amazon CloudWatch log groups during assessment runs. These log groups can remain after stack deletion unless you delete them or configure retention.
Common log group name patterns include:
/aws/lambda/aiml-security-*/aws/codebuild/AIMLSecurityCodeBuild/aws/codebuild/AIMLSecurityMultiAccountCodeBuildTo list likely log groups:
aws logs describe-log-groups \
--log-group-name-prefix /aws/lambda/aiml-security-
aws logs describe-log-groups \
--log-group-name-prefix /aws/codebuild/AIMLSecurity
To delete a log group:
aws logs delete-log-group --log-group-name "<log-group-name>"