Securing Your AWS Database with CloudFormation: Best Practices

Preventing Accidental Replacements or Deletions of DynamoDB Production Database with CloudFormation

Prev Question Next Question

Question

A CloudFormation template is used to deploy an application stack that includes a DynamoDB backend database.

The development team would like to prevent accidental replacements or deletions of the production database when a template update is applied.

What is the best method for the team to achieve this requirement?

Answers

A. Implement IAM policy: { "Effect" : "Deny", "Action" : "Update:*", "Principal": "*", "Resource" : "LogicalResourceId/ProductionDatabase" } Assign the IAM Policy to the CloudFormation Service Role.

B. Implement CloudFormation Stack Policy: { "Effect" : "Deny", "Action" : "Update:*", "Principal": "*", "Resource" : "LogicalResourceId/ProductionDatabase" }

C. Configure Delete Protection on the database

D. Implement IAM policy: { "Effect" : "Deny", "Action" : "Update:*", "Principal": "*", "Resource" : "LogicalResourceId/ProductionDatabase" } Assign the IAM Policy to the development team IAM group.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because CloudFormation Service Roles are used for granting permissions and actions CloudFormation can perform when deploying a template across all AWS services and resources.

This is not the best solution for protecting a specific stack or resource as the policy is associated with the role (and not the specific stack/resources in question).

Option B is CORRECT because CloudFormation Stack Policies can be used to deny actions on specific stack or resources to protect them from unintended modifications.

Option C is incorrect because DynamoDB does not have delete protection.

Option D is incorrect because assigning this IAM policy to the development team IAM group does nothing to protect and prevent updates to the database from updates performed via CloudFormation template deployments.

Reference:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

The best method for preventing accidental replacements or deletions of a production database during a CloudFormation template update is by using a CloudFormation stack policy.

Option A suggests implementing an IAM policy and assigning it to the CloudFormation service role. While this approach can help prevent updates to the database, it would affect all updates and not just updates to the production database. Moreover, it would not prevent accidental deletions of the database.

Option B suggests implementing a CloudFormation stack policy, which is a more appropriate solution for this requirement. A stack policy is a JSON document that allows or denies specific update actions on a stack resource, based on the resource's logical ID. In this case, the stack policy should deny updates and deletions to the production database resource. The stack policy can be associated with the CloudFormation stack when it is created or updated.

Option C suggests configuring delete protection on the database, which can prevent accidental deletions of the database but would not prevent updates to the database.

Option D suggests implementing an IAM policy and assigning it to the development team IAM group. While this approach can help prevent updates to the database, it would not prevent accidental deletions of the database.

Therefore, the best option for preventing accidental replacements or deletions of a production database during a CloudFormation template update is to implement a CloudFormation stack policy that denies updates and deletions to the production database resource.

Prev Question Next Question