diff --git a/cicd/cloudformation/secrets.yaml b/cicd/cloudformation/secrets.yaml
index b03c900..c62e5f4 100644
--- a/cicd/cloudformation/secrets.yaml
+++ b/cicd/cloudformation/secrets.yaml
@@ -203,6 +203,8 @@ Resources:
 
   KeyForSecrets:
     Type: AWS::KMS::Key
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Description: Key for protecting SSOSync Secrets in cross-account deployment
       Enabled: true
@@ -248,6 +250,8 @@ Resources:
   SecretGoogleCredentials:
     Type: "AWS::SecretsManager::Secret"
     Condition: CreateGoogle
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Name: TestGoogleCredentials
       SecretString: !Ref GoogleCredentials
@@ -283,6 +287,8 @@ Resources:
   SecretGoogleAdminEmail:
     Type: "AWS::SecretsManager::Secret"
     Condition: CreateGoogle
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Name: TestGoogleAdminEmail
       SecretString: !Ref GoogleAdminEmail
@@ -318,6 +324,8 @@ Resources:
   SecretWIFServiceAccountEmail:
     Type: "AWS::SecretsManager::Secret"
     Condition: CreateWIF
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Name: TestWIFServiceAccountEmail
       SecretString: !Ref WIFServiceAccountEmail
@@ -353,6 +361,8 @@ Resources:
   SecretWIFClientLibraryConfig:
     Type: "AWS::SecretsManager::Secret"
     Condition: CreateWIF
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Name: TestWIFClientLibraryConfigSecret
       SecretString: !Ref WIFClientLibraryConfig
@@ -387,6 +397,8 @@ Resources:
 
   SecretSCIMEndpoint: # This can be moved to custom provider
     Type: "AWS::SecretsManager::Secret"
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Name: TestSCIMEndpointUrl
       SecretString: !Ref SCIMEndpointUrl
@@ -420,6 +432,8 @@ Resources:
 
   SecretSCIMAccessToken: # This can be moved to custom provider
     Type: "AWS::SecretsManager::Secret"
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Name: TestSCIMAccessToken
       SecretString: !Ref SCIMEndpointAccessToken
@@ -453,6 +467,8 @@ Resources:
 
   SecretRegion: 
     Type: "AWS::SecretsManager::Secret"
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Name: TestRegion
       SecretString: !Select [1, !Split [".", !Ref SCIMEndpointUrl]]
@@ -486,6 +502,8 @@ Resources:
 
   SecretIdentityStoreID:
     Type: "AWS::SecretsManager::Secret"
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Delete
     Properties:
       Name: TestIdentityStoreId
       SecretString: !Ref IdentityStoreId