CloudFormation stacks are using policies in order to prevent accidental updates to stack resources. A CloudFormation stack policy is a JSON-based document that defines which actions can be performed on specified resources.
1. Define the stack policy based on the type of resources that you want to protect against accidental updates.
2. Now run create-bucket command (OSX/Linux/UNIX) to create the S3 bucket that will store your stack policies.
3. The command output should return the new S3 bucket location.
4. Paste one of the policy documents outlined in step no. 1 in a JSON file based on your requirements, then run put-object command (OSX/Linux/UNIX) to upload the file to the newly created S3 bucket.
5. The command output should return the entity tag (ETag) for the uploaded JSON file.
6. Run set-stack-policy command (OSX/Linux/UNIX) to attach the stack policy created at step no. 4 to the selected CloudFormation stack.
7. If you need to update your stack and remove the protection from all resources, you can modify the policy to explicitly allow all actions on all resources and repeat steps no. 4 – 6 to apply the new policy.