Q62 — AWS DOP-C02 Ch.1

Question 62 of 100 | ← Chapter 1

A development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role lacks permissions required for resources specified in the AWS CloudFormation template. A DevOps engineer must implement a solution that allows developers to deploy stacks while adhering to the principle of least privilege. Which solution meets these requirements?

Correct Answer: D. Create an AWS CloudFormation service role with required permissions. Grant the developer IAM role iam:PassRole permission. Use the new service role during stack deployment.

Explanation

AWS CloudFormation service roles delegate actual resource provisioning permissions to the CloudFormation service itself—not to the user. During stack deployment, CloudFormation assumes the service role to perform actions. Users require only iam:PassRole permission to pass the role to CloudFormation—not direct resource permissions. Option D enforces separation of duties: developers deploy stacks and pass the role, but cannot directly manipulate resources—fully satisfying least privilege. Options A and B over-provision permissions; Option C grants excessive CloudFormation permissions without enabling role passing, making it non-functional.