Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 18 discussion

BEF are the correct selection Thought to consistent deployment of CloudFormation stacks would actually be B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action. E. Update each stack to use the service role. F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. These steps ensure that CloudFormation has the necessary permissions through a service role designed specifically for it (B), that each stack is configured to use this service role for deployments (E), and that users have the permission to pass this role to CloudFormation (F), aligning with best practices for security and consistency.

In a scenario where E and F are combined as one choice (E) as someone stated then the correct answer would be BCE.

The voting buttons are messed up so it's showing the wrong answer. The answer is 100% definitely BEF but you can't vote for BEF.

For me - BDE looks good.

BDF make more sense to me.

B - the CloudFormation service to needs to assume the role to create the resources E - the stacks needs to use the role to gain permissions F - the IAM user needs the iam:PassRole permission to pass the role to the CloudFormation service

B, D, E.

B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts action. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html#using-iam-servicerole-add E. Update each stack to use the service role. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

BEF are the correct answers.

B ensures that CloudFormation has the necessary permissions through a dedicated service role. C restricts the permissions to the specific stacks, following the principle of least privilege. E ensures that each stack uses the service role during deployment.

BEF is correct

BDE Create a service role to be used by CloudFormation. For each service to be used by the CF stack, create the associated set of permissions. Assign the service role to the stack. The question does not feel right though, since it mentions all user assume an IAM role to access the account, therefore the stack they launch should use the permissions given to that IAM role, therefore the result should be the same for all users either (they don't launch the stack using their individual IAM users).

I took the exam today (Jan/28) and the choices E & F are two separate as per this question. In some of the comments, it was mentioned that E&F are considered as one choice.

Yes, Correct answer is B D F, based on numbers of linked already provided and passrole from ChatGpt.

Ans: B D F. In Cloud formation, you select the required role during a new creation. The team members will deploy using the new role. updating the current stacks is not a priority as compared to IAM:PassRole.

B D E To be able to update each stack to use the service role (E), user needs to be able to pass the role using iam:PassRole (F). But it is done once. I would go with E along side B & D.

why not A , dont we need a composite principal