AWS Certified Solutions Architect – Associate (SAA-C03) — Question 379

A new employee has joined a company as a deployment engineer. The deployment engineer will be using AWS CloudFormation templates to create multiple AWS resources. A solutions architect wants the deployment engineer to perform job activities while following the principle of least privilege.

Which combination of actions should the solutions architect take to accomplish this goal? (Choose two.)

Answer options

• A. Have the deployment engineer use AWS account root user credentials for performing AWS CloudFormation stack operations.
• B. Create a new IAM user for the deployment engineer and add the IAM user to a group that has the PowerUsers IAM policy attached.
• C. Create a new IAM user for the deployment engineer and add the IAM user to a group that has the AdministratorAccess IAM policy attached.
• D. Create a new IAM user for the deployment engineer and add the IAM user to a group that has an IAM policy that allows AWS CloudFormation actions only.
• E. Create an IAM role for the deployment engineer to explicitly define the permissions specific to the AWS CloudFormation stack and launch stacks using that IAM role.

Correct answer: D, E

Explanation

To follow the principle of least privilege, the deployment engineer's IAM user should only be granted permissions to interact with AWS CloudFormation (Option D), rather than broad administrative access (Options A, B, and C). To actually provision the resources defined in the templates, a dedicated IAM service role with the minimum required resource-level permissions should be created and passed to AWS CloudFormation during stack creation (Option E).