nerdexam
ExamsDBS-C01Questions#341
AmazonAmazon

DBS-C01 · Question #341

DBS-C01 Question #341: Real Exam Question with Answer & Explanation

A CloudFormation stack policy that meets this requirement must explicitly deny update actions on the specific logical resource 'ProductionDatabase' while allowing updates to all other resources. Option B correctly combines a Deny statement targeting the specific resource (identif

Submitted by takeshi77· Mar 6, 2026Design Secure Architectures / Implement security controls for infrastructure-as-code deployments using CloudFormation stack policies to protect specific resources from unintended modifications.

Question

A company is using AWS CloudFormation to provision and manage infrastructure resources, including a production database. During a recent CloudFormation stack update, a database specialist observed that changes were made to a database resource that is named ProductionDatabase. The company wants to prevent changes to only ProductionDatabase during future stack updates. Which stack policy will meet this requirement? A. B. C. D.

Options

  • A
  • B
  • C
  • D

Explanation

A CloudFormation stack policy that meets this requirement must explicitly deny update actions on the specific logical resource 'ProductionDatabase' while allowing updates to all other resources. Option B correctly combines a Deny statement targeting the specific resource (identified by its logical ID 'ProductionDatabase') with an Allow statement for all other resources ('*'), which is the correct structure for protecting a single resource during stack updates.

Topics

#AWS CloudFormation#Stack Policies#Infrastructure Protection#IAM Policy Syntax

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DBS-C01 PracticeBrowse All DBS-C01 Questions