AWS Certified Database – Specialty — Question 267

A company is running critical applications on AWS. Most of the application deployments use Amazon Aurora MySQL for the database stack. The company uses AWS CloudFormation to deploy the DB instances.

The company's application team recently implemented a CI/CD pipeline. A database engineer needs to integrate the database deployment CloudFormation stack with the newly built CI/CD platform. Updates to the CloudFormation stack must not update existing production database resources.

Which CloudFormation stack policy action should the database engineer implement to meet these requirements?

Answer options

• A. Use a Deny statement for the Update:Modify action on the production database resources.
• B. Use a Deny statement for the Update:* action on the production database resources.
• C. Use a Deny statement for the Update:Delete action on the production database resources.
• D. Use a Deny statement for the Update:Replace action on the production database resources.

Correct answer: B

Explanation

To prevent any modifications to the production database resources during CloudFormation stack updates, a stack policy must be configured with a Deny statement for the 'Update:*' action. This action encompasses all update types, including Modify, Replace, and Delete, ensuring comprehensive protection. Restricting only specific actions like 'Update:Modify' or 'Update:Replace' would not prevent other types of destructive updates from occurring.