AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 314

A company uses an organization in AWS Organizations to manage 10 AWS accounts. All features are enabled, and trusted access for AWS CloudFormation is enabled.

A DevOps engineer needs to use CloudFormation to deploy an IAM role to the Organizations management account and all member accounts in the organization.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create a CloudFormation StackSet that has service-managed permissions. Set the root OU as a deployment target.
• B. Create a CloudFormation StackSet that has service-managed permissions. Set the root OU as a deployment target. Deploy a separate CloudFormation stack in the Organizations management account.
• C. Create a CloudFormation StackSet that has self-managed permissions. Set the root OU as a deployment target.
• D. Create a CloudFormation StackSet that has self-managed permissions. Set the root OU as a deployment target. Deploy a separate CloudFormation stack in the Organizations management account.

Correct answer: B

Explanation

CloudFormation StackSets with service-managed permissions automatically manage the necessary IAM roles to deploy to member accounts under an OU, but they do not deploy stacks to the Organizations management account itself. Therefore, to cover all accounts, a separate CloudFormation stack must be deployed in the management account in addition to the StackSet. Self-managed permissions are incorrect because they require manual creation of administration and execution IAM roles in every account, which increases operational overhead.