Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 61 discussion

D is totally correct

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

D is correct: Need to create a role for Cloud formation that has the required permissions. Then adding iam:PassRole permission to the dev IAM role to allow them to pass this role to CF A: no mention of creating the required permissions for ACF. Additionally, should not grant permissions for dev. B: grant full access is against the least privilege policy C: no mention of granting iam:PassRole permission to the dev

A is incorrect; A would also allow resources to be used from outside of cfn. Therefore, D is correct.

Option D allows you to create a dedicated AWS CloudFormation service role with the precise permissions required for stack deployments. Then, you grant the developer IAM role the iam:PassRole permission, which enables it to pass the service role to AWS CloudFormation without granting it broad IAM permissions. This approach aligns best with the principle of least privilege and ensures developers can deploy stacks while maintaining control over their permissions.

B is the answer. DC wrong - Nothing like CloudFormation service-role.

D is the right answer.

This solution follows the principle of least privilege by creating a specific AWS CloudFormation service role that only has the permissions required for the resources in the AWS CloudFormation stack. The developers are then granted permission to pass this role (iam:PassRole) to the AWS CloudFormation service when they initiate stack deployments, which allows the service to act on behalf of the developer to provision the specified resources.

D, you pass the role that can create the resources, the user does not have the right to create the resources himself but can pass the role to CloudFormation so CloudFormation assumes it. IMHO.

This allows them to provision the required resources specified in the CloudFormation template without granting them full access to AWS CloudFormation or the underlying resources.

D , passrole is right action

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

D is more suitable in this case.

C. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role a cloudformation:* action. Use the new service role during stack deployments. By creating an AWS CloudFormation service role with the required permissions, the DevOps engineer can control the resources that the developers can access. This approach ensures that the developers have only the necessary permissions to deploy the stacks, without granting them excessive permissions that could be exploited by malicious actors. The IAM policy granting a cloudformation:* action to the developer IAM role allows the developers to use the AWS CloudFormation service role and deploy the stacks with the required resources. Option A, creating an IAM policy that allows the developers to provision the required resources, is not a good solution because it could potentially grant the developers too much access to resources they don't need. This violates the principle of least privilege.

D it is

Option D is the recommended solution to meet the requirements because it follows the principle of least privilege. The IAM policy that allows the developers to provision the required resources should be created and associated with the IAM role, which should be assigned the iam:PassRole permission for the AWS CloudFormation service role. By doing so, the IAM role can only assume the specific AWS CloudFormation service role and deploy the stack with the required permissions, and not have full access to all resources or full access to AWS CloudFormation.

B it is