A pharma company is using VPC to deploy all its application & database servers. All this server infrastructure in VPC is deployed using AWS CloudFormation Templates. Based upon user requirements, a large number of servers are deployed on EC2 instances within each VPC. Last week there was a major outage due to the addition and removal of a CIDR range through CloudFormation template in one VPC with critical Database servers. All connectivity from application servers to database servers was hampered due to this modification. Top management needs to have a proactive measure to be set up so that all such outages can be avoided in the future. Which of the following steps can be taken to meet this requirement?

Answer options:

A.Enabled Stack termination protection for each stack.
B.Manually Hard code CIDR range in each template & deny all users from modifying these CIDR ranges.
C.Modify IAM rules so that only restrictive users have permission to update Stack.
D.Create a Stack Policy that will deny users from adding or removing CIDR range(s) within a VPC.

Correct Answer – D
A Stack Policy can be used to prevent users from updating, replacing or deleting a stack resource within a Stack ( in this case, it is the addition and removal of a CIDR range ).
Option A is incorrect as this will prevent accidental deletion of the stack & not prevent individual Stack resources with a stack being updated.
Option B is incorrect as this will incur additional admin work for setting many VPC.Option C is incorrect as IAM rules will grant restrictive permission to users. But this will not prevent updating stack resources from a user having permission.
For more information on the creation of Stack Policy, refer to the following URL
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html