1 Answers
Hi Rowan,
This question tests your knowledge around knowing that any updates not explicitly allowed are denied by default. It comes straight from the documentation (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html )
You’re correct that the question does not explicitly say we need to make chances to other resources, hence requiring the Allow component. But, we also cannot assume the production database is the only resource in the stack. If you were a consultant, you’d want to guide the client to implement the stack policy that is most specific to the need. You wouldn’t wait until the client complained that they couldn’t update the Dev database to say "well you didn’t say you wanted to update other resources".
–Scott
Fair enough. Thanks for answering Scott.