Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 89 discussion

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html With the DeletionPolicy attribute you can preserve, and in some cases, backup a resource when its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default. Retain CloudFormation keeps the resource without deleting the resource or its contents when its stack is deleted. You can add this deletion policy to any resource type. When CloudFormation completes the stack deletion, the stack will be in Delete_Complete state; however, resources that are retained continue to exist and continue to incur applicable charges until you delete those resource

By adding the DeletionPolicy attribute to the CloudFormation template for RDS and EBS resources, you can specify actions to be taken when a stack is deleted. Setting the DeletionPolicy to Retain ensures that the RDS and EBS resources are not deleted when the CloudFormation stack is deleted.

Option A is the correct approach because CloudFormation allows you to specify a DeletionPolicy attribute for resources within your templates. This attribute can prevent resources like Amazon RDS databases and Amazon EBS volumes from being deleted when the stack is deleted. You can set the DeletionPolicy to “Retain” for specific resources, ensuring they are not automatically removed alongside the stack.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

A, basic DeletionPolicy use case

Although that I would preferably use both A and B - this is an exam and the truth is in the wording - "important data stored in Amazon RDS databases or Amazon EBS volumes might also be deleted" - we don't care if the resources are deleted but the data, which makes me believe they want us to set up a deletion policy at a resource level to "Retain"

Explanation: Stack policies are a powerful feature of AWS CloudFormation that allows you to control fine-grained permissions for resources within a stack. By configuring a stack policy that disallows the deletion of RDS and EBS resources, you can prevent users from accidentally deleting these critical resources and the associated data. Option A (Modifying CloudFormation templates with DeletionPolicy attribute) is not the best solution in this case. While the DeletionPolicy attribute can be used to control resource behavior during stack deletion, it is not applicable to Amazon RDS instances or Amazon EBS volumes.

Check the differences and use cases where to use a stack policy or add a deletion policy (retain): Stack policy and deletion policy are both ways to protect resources created by CloudFormation stacks, but they have different functions. Stack policy is a feature that allows you to specify a JSON policy document that restricts what actions can be taken on a CloudFormation stack. Stack policies are used to prevent accidental or intentional updates or deletions of critical resources in your stack, by specifying which resources can be modified and by whom. Stack policies can be used to allow specific teams or individuals to modify specific resources in a stack while preventing them from modifying others.

ption B, which suggests configuring a stack policy that disallows the deletion of RDS and EBS resources, is better in this scenario. While using DeletionPolicy attribute (Option A) can be helpful for preserving and backing up the resource, it does not address the problem of accidental deletion of resources or control access to delete the resource. On the other hand, a Stack Policy can be used to prevent accidental deletion of resources by specifying which actions can be performed on the resources within in the stack, thereby adding an essential layer of protection. By implementing a Stack Policy, a company can limit updating the resources in the stack, control who can make changes to the stack, and prevent accidental deletion of resources. Therefore, configuring a Stack Policy is necessary and more satisfactory to protect data from accidental deletion while using AWS CloudFormation.

A for sure

A stack policy is a document that defines the update and deletion actions that can be performed on resources in a CloudFormation stack. By default, all resources in a CloudFormation stack can be deleted by users with appropriate permissions. However, you can use a stack policy to restrict the deletion of certain resources, such as Amazon RDS databases or Amazon EBS volumes. In this case, the company can create a stack policy that explicitly disallows the deletion of any RDS or EBS resources in the production CloudFormation stack. This will prevent users from accidentally deleting important data stored in these resources.

For RDS instances, you can set the "DeletionPolicy" attribute to "Retain". This will ensure that when the stack is deleted, the RDS instance will not be deleted and its data will be retained. For EBS volumes, you can use the "DeletionPolicy" attribute in combination with the "SnapshotId" attribute to create a snapshot of the volume before deleting it. This will allow you to restore the data later if need Yaml examples for RDS and EBS : Resources: MyDB: Type: AWS::RDS::DBInstance Properties: # RDS instance properties go here DeletionPolicy: Retain Resources: MyVolume: Type: AWS::EC2::Volume Properties: # Volume properties go here DeletionPolicy: Snapshot SnapshotId: my-snapshot-id

Clear A

AC1984 do your homework. Stack policy can protect against deletion but not against actual entire CFN stack template being deleted. DeletionPolicy = if I was to delete the entire CFN stack, the CFN process will delete all elements and skip over RDS and EBS due to protections. 20 second Google search could of confirmed this.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

B. Configure a stack policy that disallows the deletion of RDS and EBS resources. A stack policy is a JSON-based document that defines the actions that can be performed on a CloudFormation stack, and can be used to prevent users from accidentally deleting critical resources. By configuring a stack policy that disallows the deletion of RDS and EBS resources, the company can prevent users from accidentally deleting important data stored in those resources. Option A (adding a DeletionPolicy attribute) does not prevent users from deleting the resources, but rather determines what happens to the resources when the stack is deleted. Option C (modifying IAM policies) is not sufficient because it only affects the permissions of specific users or groups, and does not prevent accidental deletions. Option D (using AWS Config rules) can help detect deletions of RDS and EBS resources, but it does not prevent them from being deleted.

I go for A because I assume that the CF stack is allowed to be deleted in some deployment scenarios.