AWS Certified Solutions Architect – Professional (SAP-C02) — Question 406

A solutions architect is preparing to deploy a new security tool into several previously unused AWS Regions. The solutions architect will deploy the tool by using an AWS CloudFormation stack set. The stack set's template contains an IAM role that has a custom name. Upon creation of the stack set, no stack instances are created successfully.

What should the solutions architect do to deploy the stacks successfully?

Answer options

• A. Enable the new Regions in all relevant accounts. Specify the CAPABILITY_NAMED_IAM capability during the creation of the stack set.
• B. Use the Service Quotas console to request a quota increase for the number of CloudFormation stacks in each new Region in all relevant accounts. Specify the CAPABILITY_IAM capability during the creation of the stack set.
• C. Specify the CAPABILITY_NAMED_IAM capability and the SELF_MANAGED permissions model during the creation of the stack set.
• D. Specify an administration role ARN and the CAPABILITY_IAM capability during the creation of the stack set.

Correct answer: A

Explanation

To deploy resources in previously unused AWS Regions, those Regions must first be explicitly enabled in the target AWS accounts. Additionally, because the CloudFormation template includes an IAM resource with a custom name, the CAPABILITY_NAMED_IAM capability must be specified during deployment. Other options are incorrect because they do not address the disabled Regions or they specify the weaker CAPABILITY_IAM capability, which does not support custom-named IAM roles.