AWS Certified DevOps Engineer – Professional — Question 119

A development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role does not have the required permissions to provision the resources that are specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows the developers to deploy the stacks. The solution must follow the principle of least privilege.

Which solution will meet these requirements?

Answer options

• A. Create an IAM policy that allows the developers to provision the required resources. Attach the policy to the developer IAM role.
• B. Create an IAM policy that allows full access to AWS CloudFormation. Attach the policy to the developer IAM role.
• C. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role a cloudforrnation:* action. Use the new service role during stack deployments.
• D. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.

Correct answer: D

Explanation

The correct answer is D because it allows the developer IAM role to pass the AWS CloudFormation service role that has the required permissions, in line with the principle of least privilege. Option A does not ensure the least privilege as it grants extensive permissions directly to developers. Option B provides full access to AWS CloudFormation, which is not aligned with the least privilege principle. Option C incorrectly allows the developer IAM role to execute all cloudformation actions without the necessary restrictions.