Q54 — AWS DOP-C02 Ch.3

Question 54 of 100 | ← Chapter 3

A development team wants to use AWS CloudFormation stacks to deploy an application. However, developers’ IAM roles lack the permissions required to provision the resources specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows developers to deploy stacks while adhering to the principle of least privilege. Which solution meets these requirements?

Correct Answer: D. Create an AWS CloudFormation service role with the required permissions. Grant the developers’ IAM roles iam:PassRole permission. Use the new service role during stack deployment.

Explanation

Option D satisfies the requirements. Following the principle of least privilege, granting developers full CloudFormation access (Option B) is inappropriate. Option A may be insufficiently flexible or comprehensive. Option C grants excessive cloudformation:* permissions. Option D creates a service role with precisely needed permissions and grants developers only iam:PassRole, enabling them to delegate necessary permissions to CloudFormation during deployment—meeting functional needs while strictly limiting scope.