3.1 CloudFormation & SAM

CloudFormation: declarative stacks

AWS CloudFormation turns a JSON or YAML template into a stack of real resources. Because the template is code, you get repeatable, version-controlled, multi-environment provisioning and automatic rollback on failure. The Deployment domain is 24% of the DVA-C02 exam (the single largest domain), and 65 questions across 130 minutes leave little room to guess template mechanics, so master them cold.

A template has named top-level sections. The exam expects you to recognize each by purpose:

Resources is the only mandatory section. AWSTemplateFormatVersion and Description are optional metadata, and Metadata can carry configuration for tools like CloudFormation Designer or cfn-init.

When you create a stack, CloudFormation provisions resources in dependency order (inferred from references or forced with DependsOn), and if any resource fails it rolls back the whole stack by default, deleting what it already built. An update behaves similarly: a failed update returns the stack to UPDATE_ROLLBACK_COMPLETE. You can disable rollback to debug, but the exam treats automatic rollback as the safe default.

Intrinsic functions

Intrinsic functions compute values at deploy time because real IDs and ARNs do not exist until resources are created. Memorize these four:

• Ref returns a parameter's value or a resource's physical ID (e.g. an EC2 instance ID).
• Fn::GetAtt returns an attribute, such as an S3 bucket's Arn or a load balancer's DNS name.
• Fn::Sub injects variables into a string, e.g. !Sub 'arn:aws:s3:::${BucketName}/*'.
• Fn::ImportValue consumes another stack's exported Output, the basis of cross-stack references.

Change sets, drift, and nested stacks

• A change set previews the exact adds, modifies, and replacements before you execute an update. A property change marked Replacement: True (for example renaming a DynamoDB table) destroys and recreates the resource, so the change set is your last-chance review.
• Drift detection reports resources whose live state diverged from the template, typically after a manual console edit. It does not preview a pending update.
• Nested stacks let a parent reuse a child template through AWS::CloudFormation::Stack, while cross-stack references share values via Export/Fn::ImportValue.
• DeletionPolicy: Retain keeps a resource (e.g. an RDS database) when the stack is deleted, DeletionPolicy: Snapshot snapshots first, and stack policies deny specific update or delete actions on protected resources.

AWS SAM

AWS Serverless Application Model (SAM) is a CloudFormation extension purpose-built for serverless apps. The header line Transform: AWS::Serverless-2016-10-31 tells CloudFormation to expand SAM shorthand such as AWS::Serverless::Function, AWS::Serverless::Api, and AWS::Serverless::SimpleTable into full CloudFormation resources at deploy time. Anything you can write in CloudFormation you can also include in a SAM template, so they mix freely.

The Globals section is unique to SAM. It applies shared properties such as Runtime, MemorySize, Timeout, and Environment to every function or API, eliminating per-resource repetition.

SAM CLI workflow

Common trap: choose SAM when the question stresses concise serverless templates or local testing in Docker; choose raw CloudFormation when the workload spans resource types SAM does not abbreviate (VPCs, full RDS clusters, IAM-heavy stacks). SAM deploy uses a change set under the hood, so production serverless changes are still reviewable.

Pseudo parameters and the package step

CloudFormation exposes read-only pseudo parameters you reference with Ref: AWS::Region, AWS::AccountId, AWS::StackName, and AWS::NoValue (which removes a property). They appear in many template questions, so recognize them.

Both engines need a package step for local artifacts: CloudFormation's aws cloudformation package (and SAM's equivalent inside sam deploy) uploads local code and templates to an S3 bucket, then rewrites the references to S3 URIs. Lambda function code, nested-stack templates, and API definition files cannot be deployed straight from disk — they must transit S3 first. A question describing a 'template references a local folder of Lambda code that will not deploy' is pointing at the missing package/upload step.

Finally, SAM policy templates (e.g. S3ReadPolicy, DynamoDBCrudPolicy) generate scoped IAM policies for a function from a short name, saving you from hand-writing IAM JSON — a SAM-only convenience the exam may reference.

Stack lifecycle states and helpers

Know the major stack states by name: CREATE_COMPLETE, UPDATE_COMPLETE, ROLLBACK_COMPLETE (a failed create that rolled back — you must delete and recreate), and UPDATE_ROLLBACK_COMPLETE (a failed update that reverted). On an EC2 instance launched by a stack, the helper scripts coordinate bootstrapping: cfn-init reads the AWS::CloudFormation::Init metadata to install packages and write files, cfn-signal reports success or failure back to a CreationPolicy or wait condition, and cfn-hup watches for metadata changes.

A scenario where 'the stack reports CREATE_COMPLETE before the instance finished configuring' points to a missing cfn-signal plus CreationPolicy, ensuring the stack waits for the signal before declaring success.