AWS Certified Security – Specialty (SCS-C02) — Question 222

A company uses AWS Organizations to manage an organization that consists of three workload OUs. Production, Development, and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs. Different SCPs are attached to each workload OU.

The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in.an account in the Production OU, the update fails. The error message reports insufficient IAM permissions.

What is the FIRST step that a security engineer should take to troubleshoot this issue?

Answer options

• A. Review the AWS CloudTrail logs in the account in the Production OU. Search for any failed API calls from CloudFormation during the deployment attempt.
• B. Remove all the SCPs that are attached to the Production OU. Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.
• C. Confirm that the role used by CloudFormation has sufficient permissions to create, update, and delete the resources that are referenced in the CloudFormation template.
• D. Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

Correct answer: A

Explanation

The first step in troubleshooting should be to review the AWS CloudTrail logs for any failed API calls, which will provide insight into what permissions are lacking during the deployment. While confirming the role's permissions (Option C) is also important, it is more efficient to first gather logs that explicitly indicate the failure cause. Removing SCPs (Option B) or aligning them with another OU (Option D) may not be necessary and could introduce additional risks.