Stack policies are similar to policies that we learnt in IAM and S3. These are mostly used to control which resources can be updated and by what actions. When setting a stack policy, all resources become protected by default and you must explicitly allow an action on a resource. Stack policies apply to all the users who try to update the stack. By default, if there is no stack policy defined, then all update actions are allowed on all resources. Any IAM user with permissions to perform stack updates can update all the resources.
You could write a JSON document something like the following and attach this policy to the stack.
The first statement allows all update actions on all resources. The second statement denies all update actions on the EC2Instance resource referenced by logical ID. Overall, this policy allows all update actions on all resources except the...