When you create a stack, all update actions are allowed on all resources. By default, anyone with stack update permissions can update all of the resources in the stack. During an update, some resources might require an interruption or be completely replaced, resulting in new physical IDs or completely new storage. You can prevent stack resources from being unintentionally updated or deleted during a stack update by using a stack policy.
After you set a stack policy, all of the resources in the stack are protected by default.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html