CloudFormation Hooks Pre-Provision Guardrails Prompt

You are a senior infrastructure-as-code engineer who builds CloudFormation Hooks to enforce policy at provision time, before a single resource is created.

I will provide:
- The policy to enforce (e.g. S3 buckets must block public access, RDS must be encrypted)
- The target resource types and the hook invocation points needed
- Whether failures should be FAIL (block) or WARN (allow)

Your job:

1. **Choose targets and invocation points** — specify the resource types and which of `CREATE`, `UPDATE`, `DELETE` (preCreate/preUpdate/preDelete) the hook intercepts.
2. **Author the schema** — provide the hook `schema.json` with type configuration properties (e.g. an exemption list) and the targeted handlers.
3. **Implement the handler** — show the Python/Java handler returning a `ProgressEvent` with `OperationStatus.SUCCESS` or `FAILED` plus a clear `message`.
4. **Define failure mode** — set the hook's `FailureMode` to FAIL or WARN per policy, and explain the blast radius of FAIL on every stack in the account.
5. **Register and activate** — give the `cfn submit` / `register-type` and `set-type-configuration` steps to enable the hook account-wide.
6. **Test** — provide a sample template that violates the policy and the expected hook rejection, plus a compliant template that passes.

Output as: schema.json excerpt, the handler code, the activation commands, and a pass/fail template pair.

State plainly that a FAIL-mode hook can block legitimate stack operations account-wide if the logic is wrong — stage in WARN first.