AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A company uses AWS CloudFormation to provision application stacks that include an IAM role with the AdministratorAccess managed policy attached. Application teams must be free to update the rest of their resources, but the CloudOps engineer must ensure that these critical roles can never be deleted or replaced during stack updates. What is the most operationally efficient way to meet this requirement?

Enable termination protection on every stack so CloudFormation blocks operations that would delete resources.
Deploy an AWS Config rule that detects changes to Administrator roles and triggers a Lambda function to roll back unauthorized modifications.
Attach a stack policy to each stack that denies Delete and Update:Replace actions for the logical IDs of the Administrator roles.
Add a DeletionPolicy of Retain to the IAM role resources in the templates.

Report Issue

Answer Description

Attach a CloudFormation stack policy that denies Update:Delete and Update:Replace actions for the logical IDs representing the Administrator roles while an Allow statement permits all other update actions. When a team attempts a stack update that would delete or replace one of those roles, CloudFormation evaluates the stack policy first and blocks the operation, yet still allows updates to all other resources.

Termination protection only prevents the DeleteStack operation; it does not stop stack update commands that might delete or replace individual resources. Adding a DeletionPolicy of Retain protects the physical resource from deletion but does not prevent a replacement, and CloudFormation will still attempt the update. An AWS Config rule with a remediation Lambda function is reactive, allows the unwanted change to occur before rollback, and adds additional services to maintain.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.