AWS Certified SysOps Administrator – Associate — Question 295

A company has an AWS CloudFormation template that creates an Amazon S3 bucket. A user authenticates to the corporate AWS account with their Active Directory credentials and attempts to deploy the CloudFormation template. However, the stack creation fails.

Which factors could cause this failure? (Choose two.)

Answer options

• A. The user’s IAM policy does not allow the cloudformation:CreateStack action.
• B. The user’s IAM policy does not allow the cloudformation:CreateStackSet action.
• C. The user’s IAM policy does not allow the s3:CreateBucket action.
• D. The user’s IAM policy explicitly denies the s3:ListBucket action.
• E. The user’s IAM policy explicitly denies the s3:PutObject action.

Correct answer: A, C

Explanation

To successfully deploy an AWS CloudFormation stack that provisions resources, the initiating user must have permissions to both create the stack itself (cloudformation:CreateStack) and create the underlying resources defined in the template (s3:CreateBucket). If either of these permissions is missing from the user's IAM policy, the stack deployment will fail. Other actions like cloudformation:CreateStackSet, s3:ListBucket, and s3:PutObject are not required for creating a basic S3 bucket via a standard CloudFormation template.