Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 18 discussion

BEF are the correct selection Thought to consistent deployment of CloudFormation stacks would actually be B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action. E. Update each stack to use the service role. F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. These steps ensure that CloudFormation has the necessary permissions through a service role designed specifically for it (B), that each stack is configured to use this service role for deployments (E), and that users have the permission to pass this role to CloudFormation (F), aligning with best practices for security and consistency.

B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts action. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html#using-iam-servicerole-add E. Update each stack to use the service role. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

BEF is the correct answer

Why Not A, C, or F? Option Reason for Rejection A A composite principal is unnecessary here. CloudFormation is the only service assuming the role, so we only need cloudformation.amazonaws.com. C Adding CloudFormation stack ARNs in the resource field is incorrect because policies should apply to the services being provisioned, not to CloudFormation stacks themselves. F iam:PassRole is only needed when a user or service is delegating a role to another AWS service (e.g., EC2 assuming an IAM role). CloudFormation assumes the role directly, so this step is not required.

BDF Option E: It's not necessary to explicitly update each stack to use the service role. CloudFormation automatically assumes the specified service role when performing stack operations, as long as the role is properly configured with the necessary permissions and trust relationships.

Anyone that voted "D", how can you add "Service Arn" (not Resource ARN) to the "Resource" field in an IAM policy?

BEF IS THE RIGHT ANSWER FOR THIS SCENARIO

In a scenario where E and F are combined as one choice (E) as someone stated then the correct answer would be BCE.

The voting buttons are messed up so it's showing the wrong answer. The answer is 100% definitely BEF but you can't vote for BEF.

For me - BDE looks good.

BDF make more sense to me.

B - the CloudFormation service to needs to assume the role to create the resources E - the stacks needs to use the role to gain permissions F - the IAM user needs the iam:PassRole permission to pass the role to the CloudFormation service

B, D, E.

BEF are the correct answers.

B ensures that CloudFormation has the necessary permissions through a dedicated service role. C restricts the permissions to the specific stacks, following the principle of least privilege. E ensures that each stack uses the service role during deployment.

BEF is correct

BDE Create a service role to be used by CloudFormation. For each service to be used by the CF stack, create the associated set of permissions. Assign the service role to the stack. The question does not feel right though, since it mentions all user assume an IAM role to access the account, therefore the stack they launch should use the permissions given to that IAM role, therefore the result should be the same for all users either (they don't launch the stack using their individual IAM users).