AWS Certified Cloud Practitioner

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Use a CloudFormation stack policy with an explicit allow for all resources and an explicit deny of protected resources with Update:*.

CloudFormation stack policies allow protecting specific resources from updates by denying Update:* on them while allowing on others. This prevents accidental changes to DB during stack updates without affecting deployments.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Use a CloudFormation stack policy with an explicit allow for all resources and an explicit deny of protected resources with Update:*.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A user accidentally changed a database property in a CloudFormation template and caused an application interruption. How can the DevOps team continue deploying while preventing modifications to specific resources?

Exam-Like

UAnonymous

Last updated: April 30, 2026 at 11:42

Set up an AWS Config rule to alert on CloudFormation changes; use Lambda to cancel operations affecting protected resources.

Set up an EventBridge rule for any CloudFormation API call; use Lambda to cancel if protected resources were modified.

Use a CloudFormation stack policy with an explicit allow for all resources and an explicit deny of protected resources with Update:*.

Attach an IAM policy to the DevOps team role preventing stack updates based on protected resource ARNs.