Q54 — AWS DOP-C02 Ch.3
Question 54 of 100 | ← Chapter 3
A development team wants to use AWS CloudFormation stacks to deploy an application. However, developers’ IAM roles lack the permissions required to provision the resources specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows developers to deploy stacks while adhering to the principle of least privilege. Which solution meets these requirements?
- A. Create an IAM policy that allows developers to provision the required resources. Attach this policy to the developers’ IAM roles.
- B. Create an IAM policy that allows full access to AWS CloudFormation. Attach this policy to the developers’ IAM roles.
- C. Create an AWS CloudFormation service role with the required permissions. Grant the developers’ IAM roles cloudformation:* permissions. Use the new service role during stack deployment.
- D. Create an AWS CloudFormation service role with the required permissions. Grant the developers’ IAM roles iam:PassRole permission. Use the new service role during stack deployment. ✓
Correct Answer: D. Create an AWS CloudFormation service role with the required permissions. Grant the developers’ IAM roles iam:PassRole permission. Use the new service role during stack deployment.
Explanation
Option D satisfies the requirements. Following the principle of least privilege, granting developers full CloudFormation access (Option B) is inappropriate. Option A may be insufficiently flexible or comprehensive. Option C grants excessive cloudformation:* permissions. Option D creates a service role with precisely needed permissions and grants developers only iam:PassRole, enabling them to delegate necessary permissions to CloudFormation during deployment—meeting functional needs while strictly limiting scope.