Exam DOP-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 259

A company's development team uses AWS CloudFormation to deploy its application resources. The team must use CloudFormation for all changes to the environment. The team cannot use the AWS Management Console or the AWS CLI to make manual changes directly.

The team uses a developer IAM role to access the environment. The role is configured with the AdministratorAccess managed IAM policy. The company has created a new CloudFormationDeployment IAM role that has the following policy attached:

The company wants to ensure that only CloudFormation can use the new role. The development team cannot make any manual changes to the deployed resources.

Which combination of steps will meet these requirements? (Choose three.)

    Correct Answer: A, D, F

    To meet the requirements, the following steps should be taken: 1) Remove the AdministratorAccess policy and assign the ReadOnlyAccess managed IAM policy to the developer role to ensure developers cannot manually change resources. 2) Update the trust policy of the CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action to ensure that only CloudFormation can assume this role. 3) Add policies to the CloudFormationDeployment role: one that allows cloudformation:* on all resources so CloudFormation has the required permissions, and another that allows the iam:PassRole action for the CloudFormationDeployment role only to CloudFormation (if iam:PassedToService equals cloudformation.amazonaws.com) to ensure the role can only be passed to CloudFormation and not to any other service or user.

Discussion
tgvOptions: ADF

---> A D F

trungtdOptions: ADF

A. ensures that developers cannot make manual changes to the environment. D. ensures that only CloudFormation can assume this role. F. ensures that the role can only be passed to CloudFormation, not to any other service or user.