There is no explicit requirement stated in the question that once the stack is up the colleague needs or wants to make any changes. There is only his requirement that the database be protected.
So, maybe consider updating the question, because otherwise options A and/or D would seem to be the correct answers ?
Unless I’m missing something entirely ?
This question tests your knowledge around knowing that any updates not explicitly allowed are denied by default. It comes straight from the documentation (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html )
You’re correct that the question does not explicitly say we need to make chances to other resources, hence requiring the Allow component. But, we also cannot assume the production database is the only resource in the stack. If you were a consultant, you’d want to guide the client to implement the stack policy that is most specific to the need. You wouldn’t wait until the client complained that they couldn’t update the Dev database to say "well you didn’t say you wanted to update other resources".