Which solution will meet these requirements?
Set up an AWS Config rule to alert based on changes to any CloudFormation stack. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
Set up an Amazon EventBridge event with a rule to initiate based on any CloudFormation API call. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*.
Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource Names (ARNs) of the protected resources.
Explanations:
AWS Config can alert on changes, but it cannot directly prevent changes or cancel operations in real-time. AWS Lambda could detect changes, but there is no native mechanism to block the update in-progress.
Similar to Option A, EventBridge can capture CloudFormation API calls, but this approach does not prevent the stack update; it would only react after the fact, which is not sufficient for preventing accidental changes.
A CloudFormation stack policy allows you to define explicit “Allow” and “Deny” rules for specific resources. By using an explicit deny for protected resources with an action of Update:*, you can prevent accidental updates to those resources.
Attaching an IAM policy to the DevOps team role can control permissions for actions like updating a stack, but this does not specifically target certain resources and would not prevent modification of specific resources within a stack.