Q62 — AWS DOP-C02 Ch.1
Question 62 of 100 | ← Chapter 1
A development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role lacks permissions required for resources specified in the AWS CloudFormation template. A DevOps engineer must implement a solution that allows developers to deploy stacks while adhering to the principle of least privilege. Which solution meets these requirements?
- A. Create an IAM policy allowing developers to provision the required resources. Attach the policy to the developer IAM role.
- B. Create an IAM policy allowing full access to AWS CloudFormation. Attach the policy to the developer IAM role.
- C. Create an AWS CloudFormation service role with required permissions. Grant the developer IAM role cloudformation:* action. Use the new service role during stack deployment.
- D. Create an AWS CloudFormation service role with required permissions. Grant the developer IAM role iam:PassRole permission. Use the new service role during stack deployment. ✓
Correct Answer: D. Create an AWS CloudFormation service role with required permissions. Grant the developer IAM role iam:PassRole permission. Use the new service role during stack deployment.
Explanation
AWS CloudFormation service roles delegate actual resource provisioning permissions to the CloudFormation service itself—not to the user. During stack deployment, CloudFormation assumes the service role to perform actions. Users require only iam:PassRole permission to pass the role to CloudFormation—not direct resource permissions. Option D enforces separation of duties: developers deploy stacks and pass the role, but cannot directly manipulate resources—fully satisfying least privilege. Options A and B over-provision permissions; Option C grants excessive CloudFormation permissions without enabling role passing, making it non-functional.