exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 18 discussion

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.
The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.
Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Choose three.)

  • A. Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.
  • B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.
  • C. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.
  • D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy.
  • E. Update each stack to use the service role.
    F Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.
Show Suggested Answer Hide Answer
Suggested Answer: BDE 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
PareshBPatel
Highly Voted 9 months, 4 weeks ago
BEF are the correct selection Thought to consistent deployment of CloudFormation stacks would actually be B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action. E. Update each stack to use the service role. F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. These steps ensure that CloudFormation has the necessary permissions through a service role designed specifically for it (B), that each stack is configured to use this service role for deployments (E), and that users have the permission to pass this role to CloudFormation (F), aligning with best practices for security and consistency.
upvoted 13 times
...
5409b91
Highly Voted 4 months, 3 weeks ago
Selected Answer: BDE
B, D, E.
upvoted 5 times
...
hb0011
Most Recent 3 months ago
In a scenario where E and F are combined as one choice (E) as someone stated then the correct answer would be BCE.
upvoted 1 times
...
hb0011
3 months ago
Selected Answer: BE
The voting buttons are messed up so it's showing the wrong answer. The answer is 100% definitely BEF but you can't vote for BEF.
upvoted 1 times
...
HunkyBunky
3 months, 1 week ago
Selected Answer: BDE
For me - BDE looks good.
upvoted 1 times
...
FunkyFresco
3 months, 2 weeks ago
Selected Answer: BD
BDF make more sense to me.
upvoted 1 times
...
shyam87
3 months, 2 weeks ago
B - the CloudFormation service to needs to assume the role to create the resources E - the stacks needs to use the role to gain permissions F - the IAM user needs the iam:PassRole permission to pass the role to the CloudFormation service
upvoted 3 times
...
cumzle_com
5 months, 2 weeks ago
Selected Answer: BDE
B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts action. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html#using-iam-servicerole-add E. Update each stack to use the service role. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html
upvoted 4 times
...
shailvardhan
6 months, 1 week ago
Selected Answer: BE
BEF are the correct answers.
upvoted 1 times
...
CloudHell
7 months, 3 weeks ago
Selected Answer: BCE
B ensures that CloudFormation has the necessary permissions through a dedicated service role. C restricts the permissions to the specific stacks, following the principle of least privilege. E ensures that each stack uses the service role during deployment.
upvoted 4 times
...
Snape
7 months, 3 weeks ago
Selected Answer: BE
BEF is correct
upvoted 3 times
...
Raphaello
9 months, 4 weeks ago
Selected Answer: BDE
BDE Create a service role to be used by CloudFormation. For each service to be used by the CF stack, create the associated set of permissions. Assign the service role to the stack. The question does not feel right though, since it mentions all user assume an IAM role to access the account, therefore the stack they launch should use the permissions given to that IAM role, therefore the result should be the same for all users either (they don't launch the stack using their individual IAM users).
upvoted 1 times
Raphaello
9 months, 2 weeks ago
Ok, looking again at the options of this question, option D is a bit tricky. Yes you need to create permissions to CF service role, but there's nothing like "ARN of each service" to be added to the resource field. ARN's belong to resources not services, and in CF service role, resource element usually takes "*"; but even if you want to specify a resource it will be something like (arn:aws:s3:::my_bucket/*) NOT ARN OF EACH SERVICE! ARN <--> Resource..not service. For that, I would go with BEF. "F" (users being able to iam:PassRole) is important and the option is worded correctly. D is not worded correctly, as it starts with a correct part, but ended it with bogus! BEF.
upvoted 3 times
...
...
mynickc
10 months, 1 week ago
I took the exam today (Jan/28) and the choices E & F are two separate as per this question. In some of the comments, it was mentioned that E&F are considered as one choice.
upvoted 4 times
...
brpjp
11 months, 1 week ago
Yes, Correct answer is B D F, based on numbers of linked already provided and passrole from ChatGpt.
upvoted 1 times
...
WeepingMaplte
11 months, 3 weeks ago
Selected Answer: BD
Ans: B D F. In Cloud formation, you select the required role during a new creation. The team members will deploy using the new role. updating the current stacks is not a priority as compared to IAM:PassRole.
upvoted 3 times
...
Raphaello
11 months, 3 weeks ago
B D E To be able to update each stack to use the service role (E), user needs to be able to pass the role using iam:PassRole (F). But it is done once. I would go with E along side B & D.
upvoted 2 times
...
vincentsr7
11 months, 4 weeks ago
why not A , dont we need a composite principal
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...