Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 259 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 259
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company's development team uses AWS CloudFormation to deploy its application resources. The team must use CloudFormation for all changes to the environment. The team cannot use the AWS Management Console or the AWS CLI to make manual changes directly.

The team uses a developer IAM role to access the environment. The role is configured with the AdministratorAccess managed IAM policy. The company has created a new CloudFormationDeployment IAM role that has the following policy attached:



The company wants to ensure that only CloudFormation can use the new role. The development team cannot make any manual changes to the deployed resources.

Which combination of steps will meet these requirements? (Choose three.)

  • A. Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to use the CloudFormationDeployment role as a CloudFormation service role when the developers deploy new stacks.
  • B. Update the trust policy of the CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDeployment role.
  • C. Configure the developer IAM role to be able to get and pass the CloudFormationDeployment role if iam:PassedToService equals . Configure the CloudFormationDeployment role to allow all cloudformation actions for all resources.
  • D. Update the trust policy of the CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action.
  • E. Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to assume the CloudFormationDeployment role when the developers deploy new stacks.
  • F. Add an IAM policy to the CloudFormationDeployment role to allow cloudformation:* on all resources. Add a policy that allows the iam:PassRole action for the ARN of the CloudFormationDeployment role if iam:PassedToService equals cloudformation.amazonaws.com.
Show Suggested Answer Hide Answer
Suggested Answer: ADF 🗳️
by xdkonorek2 at July 5, 2024, 8:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
limelight04
2 weeks, 6 days ago
Selected Answer: ABD
While Option F seems reasonable at first glance, it has a potential issue. By allowing cloudformation:* on all resources, you grant broad permissions to CloudFormation actions, which may not align with the goal of restricting manual changes. It’s essential to strike a balance between security and functionality. The combination of Options A, B, and D ensures that only CloudFormation can assume the CloudFormationDeployment role, and the ReadOnlyAccess policy for developers prevents unintended modifications. This approach maintains a more controlled and secure environment.
upvoted 1 times
...
jamesf
1 month, 2 weeks ago
Selected Answer: ADF
A. Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to use the CloudFormationDeployment role as a CloudFormation service role when the developers deploy new stacks. D. Update the trust policy of the CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action. F. Add an IAM policy to the CloudFormationDeployment role to allow cloudformation:* on all resources. Add a policy that allows the iam:PassRole action for the ARN of the CloudFormationDeployment role if iam:PassedToService equals cloudformation.amazonaws.com.
upvoted 1 times
jamesf
1 month, 2 weeks ago
Why Other Options Are Less Suitable: Not Option B: Trust Policy with Developer IAM Role - Misaligned Trust Policy: Allowing the developer IAM role to assume the CloudFormationDeployment role would directly enable developers to assume the role, contradicting the requirement of not allowing them to make manual changes. This option bypasses the control we want to establish by having CloudFormation handle the role assumption. Not Option C: Conditional Role Passing - Incorrect Logic: While this option attempts to create a condition for passing the role, it does not align with using CloudFormation as the sole entity allowed to assume the role. It implies a developer-driven role assumption rather than a service-driven one.
upvoted 1 times
...
jamesf
1 month, 2 weeks ago
Not Option E: Developer Assumption of CloudFormationDeployment Role - Manual Role Assumption: Similar to option B, this option would allow developers to directly assume the CloudFormationDeployment role. It introduces the risk of developers bypassing CloudFormation for changes, which violates the requirement to prevent manual modifications.
upvoted 1 times
...
...
tgv
2 months ago
Selected Answer: ADF
---> A D F
upvoted 1 times
...
trungtd
2 months ago
Selected Answer: ADF
A. ensures that developers cannot make manual changes to the environment. D. ensures that only CloudFormation can assume this role. F. ensures that the role can only be passed to CloudFormation, not to any other service or user.
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel