AWS Certified Solutions Architect – Associate (SAA-C02) — Question 302

A new employee has joined a company as a deployment engineer. The deployment engineer will be using AWS CloudFormation templates to create multiple AWS resources. A solutions architect wants the deployment engineer to perform job activities while following the principle of least privilege.
Which combination of actions should the solutions architect take to accomplish this goal? (Choose two.)

Answer options

• A. Have the deployment engineer use AWS account roof user credentials for performing AWS CloudFormation stack operations.
• B. Create a new IAM user for the deployment engineer and add the IAM user to a group that has the PowerUsers IAM policy attached.
• C. Create a new IAM user for the deployment engineer and add the IAM user to a group that has the Administrate/Access IAM policy attached.
• D. Create a new IAM User for the deployment engineer and add the IAM user to a group that has an IAM policy that allows AWS CloudFormation actions only.
• E. Create an IAM role for the deployment engineer to explicitly define the permissions specific to the AWS CloudFormation stack and launch stacks using Dial IAM role.

Correct answer: D, E

Explanation

To enforce the principle of least privilege, the deployment engineer should only have direct permissions to interact with the AWS CloudFormation service itself, which is achieved by assigning them an IAM policy limited to AWS CloudFormation actions. To actually provision the resources, AWS CloudFormation should assume a specific IAM service role that has been granted only the precise permissions required to create, modify, or delete the resources in the templates. Using root credentials, administrator access, or broad power user policies grants excessive permissions and violates least privilege best practices.