Preventing Others from Updating Stack Resources
Question
Your application uses CloudFormation to orchestrate your application's resources.
During the testing phase before the application went live, a developer accidentally changed the Amazon RDS instance type in the CloudFormation template and updated the stack.
This has caused the instance to be re-created, resulting In the loss of test data.
How should you prevent others from updating the stack resources?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer - B.
When you create a stack, all update actions are allowed on all resources.
By default, anyone with stack update permissions can update all of the resources in the stack.
Some resources might require an interruption or be completely replaced during an update, resulting in new physical IDs or completely new storage.
You can prevent stack resources from being unintentionally updated or deleted during a stack update by using a stack policy.
A stack policy is a JSON document that defines the update actions that can be performed on designated resources.
After you set a stack policy, all of the resources in the stack are protected by default.
To allow updates on specific resources, you specify an explicit
Allow.
statement for those resources in your stack policy.
You can define only one stack policy per stack.
But you can protect multiple resources within a single policy.
A stack policy applies to all AWS CloudFormation users who attempt to update the stack.
You can't associate different stack policies with different users.
A stack policy applies only during stack updates.
It doesn't provide access controls like an AWS Identity and Access Management (IAM) policy.
Use a stack policy only as a fail-safe mechanism to prevent accidental updates to specific stack resources.
To control access to AWS resources or actions, use IAM.
Please refer the following link.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.htmlSure, I'd be happy to provide a detailed explanation of each answer option:
A. Within the AWS CloudFormation parameter with which users can select the Amazon RDS instance type, set AllowedValues only to contain the current instance type.
This answer option suggests that you can prevent others from updating the stack resources by limiting the values that are allowed for the Amazon RDS instance type parameter. By setting AllowedValues to only contain the current instance type, you can prevent developers from accidentally or intentionally changing the instance type. However, this solution relies on users selecting the correct parameter values, and it does not provide any safeguard against intentional or unauthorized changes.
B. Use an AWS CloudFormation stack policy to deny updates to the instance.
This answer option suggests that you can prevent others from updating the stack resources by using a stack policy to deny updates to the Amazon RDS instance. A stack policy is a JSON document that you can attach to a stack to specify the update actions that are allowed or denied for specific resources. By creating a stack policy that denies updates to the Amazon RDS instance, you can prevent developers from accidentally or intentionally modifying the instance type. This solution provides a more robust safeguard against unauthorized changes than option A.
C. In the AWS CloudFormation template, set the AWS::RDS::DBInstance's DBlnstanceClass property to be read-only.
This answer option suggests that you can prevent others from updating the stack resources by setting the DBInstanceClass property of the AWS::RDS::DBInstance resource to be read-only. This would prevent any updates to the instance type, but it would also prevent any other modifications to the resource, which may not be desirable. Additionally, this solution does not provide any protection against unauthorized changes.
D. Subscribe to the AWS CloudFormation notification “BeforeResourceUpdate,” and call CancelStackUpdate if the resource identified is the Amazon RDS instance.
This answer option suggests that you can prevent others from updating the stack resources by subscribing to the BeforeResourceUpdate CloudFormation notification and cancelling the update if the resource being updated is the Amazon RDS instance. This solution provides a way to automatically prevent updates to the Amazon RDS instance without relying on users to select the correct parameter values or creating a stack policy. However, this solution requires some custom coding and may not be feasible for all applications.
E. Update the stack using ChangeSets.
This answer option suggests that you can prevent others from making unintentional changes to the stack resources by using ChangeSets to preview and validate changes before applying them to the stack. ChangeSets allow you to preview changes to a stack before applying them, which can help prevent unintended changes. However, this solution does not provide any protection against intentional or unauthorized changes.
In conclusion, answer options B and D provide the most robust solutions for preventing others from updating the stack resources. Option B provides a way to create a stack policy that denies updates to the Amazon RDS instance, while option D provides a way to automatically cancel updates to the instance using the BeforeResourceUpdate notification. Option A and E may provide some level of protection against unintended changes, but they do not provide any safeguard against intentional or unauthorized changes. Option C may prevent changes to the instance type, but it also prevents any other modifications to the resource.
