AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 45

A development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role does not have the required permissions to provision the resources that are specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows the developers to deploy the stacks. The solution must follow the principle of least privilege.
Which solution will meet these requirements?

Answer options

• A. Create an IAM policy that allows the developers to provision the required resources. Attach the policy to the developer IAM role.
• B. Create an IAM policy that allows full access to AWS CloudFormation. Attach the policy to the developer IAM role.
• C. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role a cloudformation:* action. Use the new service role during stack deployments.
• D. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.

Correct answer: D

Explanation

The correct answer is D because it allows the developers to use the AWS CloudFormation service role with the required permissions while maintaining the principle of least privilege by only granting the iam:PassRole permission. Option A and B do not adhere to least privilege as they either grant too many permissions or don't provide a service role. Option C is incorrect because it lacks the necessary permission for the developers to use the service role effectively.