Examice

Exam SCS-C02 All QuestionsBrowse all questions from this exam

Question 18

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.

The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.

Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Choose three.)

Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.

Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.

For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.

For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy.

Update each stack to use the service role.

F Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.

Correct Answer: B, E

To ensure consistent deployment of the stacks most securely, create a service role that has cloudformation.amazonaws.com as the service principal and configure the role to allow the sts:AssumeRole action to ensure that the correct permissions are granted for CloudFormation operations. Update each stack to use this service role so that it uses the permissions defined by the role. Finally, add a policy to each member role to allow the iam:PassRole action and set the policy's resource field to the ARN of the service role to let team members pass the role to CloudFormation during deployments. This combination ensures that only the necessary permissions are granted and used consistently by all team members.

Discussion

PareshBPatel

BEF are the correct selection Thought to consistent deployment of CloudFormation stacks would actually be B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action. E. Update each stack to use the service role. F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. These steps ensure that CloudFormation has the necessary permissions through a service role designed specifically for it (B), that each stack is configured to use this service role for deployments (E), and that users have the permission to pass this role to CloudFormation (F), aligning with best practices for security and consistency.

CloudHellOptions: BCE

B ensures that CloudFormation has the necessary permissions through a dedicated service role. C restricts the permissions to the specific stacks, following the principle of least privilege. E ensures that each stack uses the service role during deployment.

SnapeOptions: BE

BEF is correct

mynickc

I took the exam today (Jan/28) and the choices E & F are two separate as per this question. In some of the comments, it was mentioned that E&F are considered as one choice.

WeepingMaplteOptions: BD

Ans: B D F. In Cloud formation, you select the required role during a new creation. The team members will deploy using the new role. updating the current stacks is not a priority as compared to IAM:PassRole.

Ciara123456

BDF, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

Karamen

BEF - Create a CloudFormation service role - Update your stack using the role when deploying - ensure iam:passrole

Karamen

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

Christina666Options: BD

BDF By creating a service role specifically for AWS CloudFormation, you can limit the permissions to just what CloudFormation needs, and this reduces the risk of excessive permissions or accidental permission conflicts.

Raphaello

B D E To be able to update each stack to use the service role (E), user needs to be able to pass the role using iam:PassRole (F). But it is done once. I would go with E along side B & D.

5409b91Options: BDE

B, D, E.

cumzle_comOptions: BDE

B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts action. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html#using-iam-servicerole-add E. Update each stack to use the service role. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

shailvardhanOptions: BE

BEF are the correct answers.

RaphaelloOptions: BDE

BDE Create a service role to be used by CloudFormation. For each service to be used by the CF stack, create the associated set of permissions. Assign the service role to the stack. The question does not feel right though, since it mentions all user assume an IAM role to access the account, therefore the stack they launch should use the permissions given to that IAM role, therefore the result should be the same for all users either (they don't launch the stack using their individual IAM users).

Raphaello

Ok, looking again at the options of this question, option D is a bit tricky. Yes you need to create permissions to CF service role, but there's nothing like "ARN of each service" to be added to the resource field. ARN's belong to resources not services, and in CF service role, resource element usually takes "*"; but even if you want to specify a resource it will be something like (arn:aws:s3:::my_bucket/*) NOT ARN OF EACH SERVICE! ARN <--> Resource..not service. For that, I would go with BEF. "F" (users being able to iam:PassRole) is important and the option is worded correctly. D is not worded correctly, as it starts with a correct part, but ended it with bogus! BEF.

brpjp

Yes, Correct answer is B D F, based on numbers of linked already provided and passrole from ChatGpt.

vincentsr7

why not A , dont we need a composite principal

Daniel76Options: BD

B,D and F. https://blog.awsfundamentals.com/aws-cloudformation-execution-permissions

Daniel76

Consider this article to justify F: passrole is needed so that team member who has limited permission by their own role, can run the stack using service role's permissions. https://medium.com/@sapna.mandhare/demystifying-iam-passrole-permission-d62a2dc69778

Lunga778

B D And F