Stack policies

5 minutes 5 Questions

Stack policies in AWS CloudFormation prevent unplanned resource updates or deletions. They define what changes are allowed and which resources are protected during stack modifications. A stack policy is a JSON-formatted text file that specifies the allowed or denied actions on defined resources or …

Guide on AWS CloudFormation Stack Policies

AWS CloudFormation Stack Policies are a key concept for AWS Solution Architects.

What is it: Stack policies are JSON documents that define the update actions that can be performed on designated resources.

Why it is important: Stack policies provide an additional level of security by preventing unintentional updates to stack resources, which can help protect critical resources from being accidentally deleted or updated.

How it works: They control how AWS CloudFormation manages updates to particular resources in an AWS CloudFormation stack. When you associate a policy with your stack, CloudFormation checks the policy when you submit an update request.

Answering Questions on Stack Policies: When answering an exam question about stack policies, keep in mind that stack policies provide protection for resources, limiting the actions that can be taken on them. Use a policy to prevent stack resources from being unintentionally updated or deleted during stack operations. Always remember, stack policy doesn’t prevent or roll back resource updates that are initiated outside of AWS CloudFormation(i.e., updates initiated through a different service).

Exam Tips: Understanding the syntax and key components of stack policies is an important part of succeeding in the exam. Recognize the difference between permissions and policies: the former controls who can perform stack operations, the latter controls how AWS CloudFormation manages updates to resources in the stack.

Practice: Always practice creating and managing stack policies in AWS CloudFormation to get a full understanding of how they work.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

AWS Certified Solutions Architect - Stack policies Example Questions

Test your knowledge of Stack policies

Question 1

Your team manages an Amazon RDS DB instance with AWS CloudFormation. A stack policy denies Update and Delete actions on the DB instance resource to prevent accidental changes. The DB master password is supplied to the stack as a parameter (not via Secrets Manager) and must be rotated monthly. You want to keep the DB instance under CloudFormation control and maintain the stack policy protections. What should you do to update the password each month?

Bypass the Stack Policy and modify the instance directly in the AWS Management Console. Use AWS CloudTrail to change the password directly without using CloudFormation. Temporarily relax the stack policy to allow Update on the specific RDS resource, perform a CloudFormation stack update to set the new DB master password, then restore the restrictive stack policy. Replace the Amazon RDS instance with another one without a Stack Policy.

Correct Answer: Temporarily relax the stack policy to allow Update on the specific RDS resource, perform a CloudFormation stack update to set the new DB master password, then restore the restrictive stack policy.

Stack policies protect resources from unintended changes made by CloudFormation. To rotate a password that is managed as part of the stack, you should temporarily apply a more permissive stack policy that allows Update on the specific RDS resource, run UpdateStack with the new MasterUserPassword, and then re-apply the restrictive policy. This maintains CloudFormation as the single source of truth and preserves auditability. AWS CloudTrail cannot change passwords; it only logs API activity. Modifying the DB directly in the console bypasses CloudFormation, causing drift and violating governance controls. Replacing the DB instance is unnecessary and disruptive for routine password rotation.

Question 2

Your AWS CloudFormation stack has a Stack Policy that allows all actions on all resources. You need to temporarily protect a specific resource from being updated during a maintenance event. What approach should you use?

Perform Stack Update with a modified stack policy that denies the update action on the target resource. Delete the existing Stack Policy and then create a new one to protect the target resource. Add the condition 'Action: deny, Resource: target_resource' in the existing Stack Policy. Modify the Stack Policy to prevent execution of any action on the target resource.

Correct Answer: Perform Stack Update with a modified stack policy that denies the update action on the target resource.

Use the Stack Update API to perform a stack update with a temporary stack policy denying update actions on the target resource. This safeguards the resource during the maintenance event without permanently modifying the main Stack Policy.

Question 3

You are trying to modify the Stack Policy for an existing AWS CloudFormation stack. Your colleague mistakenly added a Stack Policy that denies any action on any resource. What should you do to regain access to the stack?

Use AWS CloudTrail to revert the Stack Policy changes. Delete the stack and create a new one with the correct Stack Policy. Contact AWS support to resolve the issue. Pass a new Stack Policy via command line or AWS Management Console.

Correct Answer: Pass a new Stack Policy via command line or AWS Management Console.

To regain access to the stack, supply a new Stack Policy via command line or AWS Management Console. Using CloudTrail, support, manual modifications or rollback will not resolve the issue, and deleting the stack could result in data loss.

🎓 Unlock Premium Access

AWS Certified Solutions Architect - Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
5645 Superior-grade AWS Certified Solutions Architect - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AWS Certified Solutions Architect: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial