A financial services company uses AWS CloudFormation to deploy a three-tier web application. The stack includes an Amazon RDS for PostgreSQL database. The database master password is stored in AWS Secrets Manager, and the CloudFormation template uses a dynamic reference to retrieve it during stack creation. The team recently rotated the database password in Secrets Manager. When they attempt to update the stack to change other parameters, the update fails with the error: 'Value of property MasterUserPassword must be a string.' The team is using the following template snippet for the password: 'MasterUserPassword': '{{resolve:secretsmanager:MySecret:SecretString:password}}'. The stack was originally created with AWS CloudFormation. What is the most likely cause of the failure?
CloudFormation does not re-resolve dynamic secrets on stack updates.
Why this answer
Option A is correct because dynamic references are only resolved during stack creation and not during updates. To update the password, the team must use a different approach. Option B is incorrect because Secrets Manager rotation does not invalidate the secret immediately.
Option C is incorrect because the template syntax is correct. Option D is incorrect because Secrets Manager is not region-bound in this context.