Question 15
Domain 2: Configuration Management and Infrastructure as CodeA development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role does not have the required permissions to provision the resources that are specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows the developers to deploy the stacks. The solution must follow the principle of least privilege. Which solution will meet these requirements?
Correct answer: D
Explanation
AWS CloudFormation can assume a service role to create resources on a user’s behalf, so the developers do not need broad provisioning permissions. Granting only "iam:PassRole" lets them pass that specific service role during stack deployments, which follows least privilege by limiting access to the exact role needed.
Why each option is right or wrong
A. Create an IAM policy that allows the developers to provision the required resources. Attach the policy to the developer IAM role.
Giving developers resource-creation permissions directly expands their privileges beyond just launching stacks.
B. Create an IAM policy that allows full access to AWS CloudFormation. Attach the policy to the developer IAM role.
Full CloudFormation access is broader than needed and does not enforce least privilege.
C. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role a cloudformation:* action. Use the new service role during stack deployments.
CloudFormation access alone is insufficient; developers must be allowed to pass the service role.
D. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.
AWS CloudFormation supports a service role that it assumes to create, update, and delete stack resources on the caller’s behalf; the role must contain the permissions needed for the template’s resources, while the developer only needs permission to pass that role. Under IAM, `iam:PassRole` is the specific permission required to delegate an existing role to a service, so granting it to the developer role avoids giving broad provisioning rights. Using the service role for stack operations confines access to the exact AWS actions and resources required, which satisfies least privilege.