ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 687 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 687
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A large financial company is deploying applications that consist of Amazon EC2 and Amazon RDS instances to the AWS Cloud using AWS CloudFormation.
The CloudFormation stack has the following stack policy:

The company wants to ensure that developers do not lose data by accidentally removing or replacing RDS instances when updating the CloudFormation stack.
Developers also still need to be able to modify or remove EC2 instances as needed.
How should the company change the stack policy to meet these requirements?

  • A. Modify the statement to specify ג€Effectג€: ג€Denyג€, ג€Actionג€:[ג€Update:*ג€] for all logical RDS resources.
  • B. Modify the statement to specify ג€Effectג€: ג€Denyג€, ג€Actionג€:[ג€Update:Deleteג€] for all logical RDS resources.
  • C. Add a second statement that specifies ג€Effectג€: ג€Denyג€, ג€Actionג€:[ג€Update:Deleteג€, ג€Update:Replaceג€] for all logical RDS resources.
  • D. Add a second statement that specifies ג€Effectג€: ג€Denyג€, ג€Actionג€:[ג€Update:*ג€] for all logical RDS resources.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by sek12324 at March 14, 2021, 9:51 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Waiweng
Highly Voted 3 years, 7 months ago
it's C
upvoted 10 times
...
SD13
Highly Voted 3 years, 7 months ago
C : Supporting link : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html#protect-stack-resources-modifying Prevent replacement updates for an instance The following policy denies updates that would cause a replacement of the instance with the MyInstance logical ID. It allows all update actions on all other stack resources with an Allow statement. The Allow statement doesn't apply to the MyInstance resource because the Deny statement always overrides allow actions. Prevent replacement updates for an instance The following policy denies updates that would cause a replacement of the instance with the MyInstance logical ID. It allows all update actions on all other stack resources with an Allow statement. The Allow statement doesn't apply to the MyInstance resource because the Deny statement always overrides allow actions.
upvoted 6 times
...
awsa37430
Most Recent 2 years, 7 months ago
Selected Answer: C
cccccccc
upvoted 1 times
...
cldy
3 years, 6 months ago
C. Add a second statement that specifies ג€Effectג€: ג€Denyג€, ג€Actionג€:[ג€Update:Deleteג€, ג€Update:Replaceג€] for all logical RDS resources.
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
C is right
upvoted 1 times
...
backfringe
3 years, 6 months ago
CCCCCCC
upvoted 1 times
...
ByomkeshDas
3 years, 6 months ago
C is correct
upvoted 1 times
...
tgv
3 years, 7 months ago
CCC ---
upvoted 1 times
...
WhyIronMan
3 years, 7 months ago
I'll go with C
upvoted 1 times
...
hk436
3 years, 7 months ago
c for sure.!
upvoted 3 times
...
Pupu86
3 years, 8 months ago
D is correct, with Update: * (representing delete & replace) on 2nd statement. This explicitly denies any updates to database resources only. You do not have to explicitly indicate Update with delete and replace (like what option C did).
upvoted 1 times
Pupu86
3 years, 7 months ago
My apologies, Answer should be C as Action: Modify should be implicitly allowed
upvoted 4 times
MrCarter
3 years, 7 months ago
Yes, the question says prevent replacement or deletion but not modification of existing RDS resource
upvoted 2 times
...
kirrim
3 years, 7 months ago
Agree with C! A & B are invalid because by overwriting that allow statement, you would not allow updates to anything. Whereas C & D leave the general allow statement in place, but add another statement with more specific deny actions for the RDS resources Between C & D, there are four options for the Update action: - Update:Modify - Update:Replace - Update:Delete - Update:* The question says to deny "removing or replacing RDS instances", so that means we only need to deny Update:Replace and Update:Delete, while still allowing Update:Modify https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html#stack-policy-reference
upvoted 3 times
...
...
...
nasuu
3 years, 8 months ago
This answer is C. Question is about CloudFormation Stack Policy, not CLI. "Update:Delete" and "Update:Replace" should be applied for only RDS. C explains that. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html
upvoted 3 times
DashL
3 years, 7 months ago
This link is in Chinese/Japanese/Korean. Open at your own risk. Here is the correct link: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html
upvoted 1 times
...
...
eji
3 years, 8 months ago
i agree with C
upvoted 3 times
eji
3 years, 8 months ago
sorry i think D, because you can modify or remove for ec2, but you cannot do update or delete for rds resources
upvoted 1 times
...
...
awsnoob
3 years, 8 months ago
Should be C, policies are implicit deny and explicit allow.
upvoted 3 times
...
sek12324
3 years, 8 months ago
Sorry its B, you modify the the same statement
upvoted 2 times
...
sek12324
3 years, 8 months ago
C { "Statement" : [ { "Effect" : "Deny", "Action" : "Update:*", "Principal": "*", "Resource" : "LogicalResourceId/MyDatabase" }, { "Effect" : "Allow", "Action" : "Update:*", "Principal": "*", "Resource" : "*" } ] }
upvoted 3 times
tvs
3 years, 7 months ago
this will block all DB update ,we need to block only delete and replace.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel