A CloudFormation template is used to deploy an application stack that includes a DynamoDB backend database. The development team would like to prevent accidental replacements or deletions of the production database when a template update is applied. What is the best method for the team to achieve this requirement?

Answer options:

A.Implement IAM policy:
{
 "Effect" : "Deny",
 "Action" : "Update:*",
 "Principal": "*",
 "Resource" : "LogicalResourceId/ProductionDatabase"
 }
Assign the IAM Policy to the CloudFormation Service Role.
B.Implement CloudFormation Stack Policy:
{
 "Effect" : "Deny",
 "Action" : "Update:*",
 "Principal": "*",
 "Resource" : "LogicalResourceId/ProductionDatabase"
 }
C.Configure Delete Protection on the database
D.Implement IAM policy:
{
 "Effect" : "Deny",
 "Action" : "Update:*",
 "Principal": "*",
 "Resource" : "LogicalResourceId/ProductionDatabase"
 }
Assign the IAM Policy to the development team IAM group.

Answer: B
Option A is incorrect because CloudFormation Service Roles are used for granting permissions and actions CloudFormation can perform when deploying a template across all AWS services and resources. This is not the best solution for protecting a specific stack or resource as the policy is associated with the role (and not the specific stack/resources in question).
Option B is CORRECT because CloudFormation Stack Policies can be used to deny actions on specific stack or resources to protect them from unintended modifications.
Option C is incorrect because DynamoDB does not have delete protection.
Option D is incorrect because assigning this IAM policy to the development team IAM group does nothing to protect and prevent updates to the database from updates performed via CloudFormation template deployments.
Reference:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html