A company uses several AWS CloudFormation stacks to handle the deployment of a suite of a…

Question

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.
The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.
Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Choose three.)

Accepted Answer

Correct answer: B, D, E. B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action. — D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy. — E. Update each stack to use the service role.
F Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. — The correct answers are B, D, and E because establishing a service role specific to CloudFormation (B) allows the necessary permissions for stack deployment. Adding policies that reference the ARNs of the services needing permissions (D) ensures that only the required actions are permitted. Updating each stack to use this service role (E) guarantees consistent and secure access for deployments. Options A and C are incorrect as they either overcomplicate the role assignment or reference the wrong resources for policies.

AWS Certified Security – Specialty (SCS-C02) — Question 60

Answer options

Correct answer: B, D, E

Explanation