A company uses AWS CloudFormation to manage infrastructure. They want to update a stack but need to ensure that critical database resources are not accidentally replaced during the update. What is the BEST way to protect these resources?
Stack policies control update permissions; a Deny on replace prevents replacement.
Why this answer
CloudFormation stack policies allow you to specify which resources can be updated or replaced. Setting a stack policy with Deny for the database resources prevents replacement.