Preventing Updates to AWS CloudFormation Resources with Stack Policies

In AWS CloudFormation, a newly created stack allows updates to all stack resources by default. A stack update can be carried out by anyone with stack update permissions, and certain updates may result in a complete replacement of a resource. When using AWS CloudFormation to manage cloud infrastructure, it's essential to employ the correct safeguards to avoid unintentional updates to business-critical services.

Defining a stack policy along with your CloudFormation stack can prevent resources from being unintentionally updated or deleted during a stack update.

In this lab, you will learn how to apply and override a stack policy that is associated with an AWS CloudFormation stack.

Learning Objectives

Upon completion of this intermediate-level lab, you will be able to:

• Apply a stack policy to an AWS CloudFormation stack to prevent updates or deletion of stack resources
• Override a stack policy for a one-time stack update

Intended Audience

• Candidates for the AWS Certified DevOps Engineer - Professional exam
• Cloud Architects
• Software Engineers

Prerequisites

Familiarity with the following will be beneficial but is not required:

• AWS CloudFormation
• Amazon EC2

The following content can be used to fulfill the prerequisite:

• AWS CloudFormation: Introduction to Infrastructure as Code
• Hands-On CloudFormation for Deploy Scalability