CloudFormation Templates for Secure Stack Updates

Restricting Updates to Production-Based Resources in CloudFormation

Prev Question Next Question

Question

You are in charge of designing a number of Cloudformation templates for your organization.

You need to ensure that no one can accidentally update the production based resources on the stack during a stack update.

How can this be achieved in the most efficient way?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

The AWS Documentation mentions.

When you create a stack, all update actions are allowed on all resources.

By default, anyone with stack update permissions can update all of the resources in the stack.

During an update, some resources might require an interruption or be completely replaced, resulting in new physical IDs or completely new storage.

You can prevent stack resources from being unintentionally updated or deleted during a stack update by using a stack policy.

A stack policy is a JSON document that defines the update actions that can be performed on designated resources.

For more information on protecting stack resources , please visit the below url.

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

To prevent accidental updates to production-based resources on a CloudFormation stack, the most efficient way is to use a Stack-based policy. Therefore, the correct answer is B.

Stack-based policies allow you to control what actions can be performed on a CloudFormation stack and its resources. These policies can be used to restrict or allow specific actions, such as updating or deleting a stack, or modifying specific resources in a stack.

To implement a Stack-based policy, you need to create a JSON-formatted policy document that specifies the permissions and restrictions you want to apply to the stack and its resources. Once you have created the policy document, you can attach it to the stack using the AWS Management Console, the AWS CLI, or an SDK.

The policy document should include specific restrictions that prevent updates to production-based resources. For example, you can use a condition that requires a specific tag to be present on the stack before any updates can be made to it. This way, if someone tries to update the stack without the required tag, the update will fail, and the production-based resources will remain unchanged.

Overall, using a Stack-based policy is the most efficient way to protect production-based resources on a CloudFormation stack, as it allows you to apply specific restrictions to the stack and its resources, and prevent accidental updates.