SCS-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

SCS-C02 Exam - Question 18

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.

The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.

Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Choose three.)

Show Answer
Correct Answer: BE

To ensure consistent deployment of the stacks most securely, create a service role that has cloudformation.amazonaws.com as the service principal and configure the role to allow the sts:AssumeRole action to ensure that the correct permissions are granted for CloudFormation operations. Update each stack to use this service role so that it uses the permissions defined by the role. Finally, add a policy to each member role to allow the iam:PassRole action and set the policy's resource field to the ARN of the service role to let team members pass the role to CloudFormation during deployments. This combination ensures that only the necessary permissions are granted and used consistently by all team members.

Discussion

17 comments
Sign in to comment
PareshBPatel
Feb 11, 2024

BEF are the correct selection Thought to consistent deployment of CloudFormation stacks would actually be B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action. E. Update each stack to use the service role. F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. These steps ensure that CloudFormation has the necessary permissions through a service role designed specifically for it (B), that each stack is configured to use this service role for deployments (E), and that users have the permission to pass this role to CloudFormation (F), aligning with best practices for security and consistency.

Christina666Options: BD
Nov 1, 2023

BDF By creating a service role specifically for AWS CloudFormation, you can limit the permissions to just what CloudFormation needs, and this reduces the risk of excessive permissions or accidental permission conflicts.

Karamen
Nov 1, 2023

BEF - Create a CloudFormation service role - Update your stack using the role when deploying - ensure iam:passrole

Karamen
Nov 1, 2023

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

Ciara123456
Nov 13, 2023

BDF, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

WeepingMaplteOptions: BD
Dec 19, 2023

Ans: B D F. In Cloud formation, you select the required role during a new creation. The team members will deploy using the new role. updating the current stacks is not a priority as compared to IAM:PassRole.

mynickc
Jan 28, 2024

I took the exam today (Jan/28) and the choices E & F are two separate as per this question. In some of the comments, it was mentioned that E&F are considered as one choice.

SnapeOptions: BE
Apr 16, 2024

BEF is correct

CloudHellOptions: BCE
Apr 17, 2024

B ensures that CloudFormation has the necessary permissions through a dedicated service role. C restricts the permissions to the specific stacks, following the principle of least privilege. E ensures that each stack uses the service role during deployment.

Raphaello
Dec 14, 2023

B D E To be able to update each stack to use the service role (E), user needs to be able to pass the role using iam:PassRole (F). But it is done once. I would go with E along side B & D.

Lunga778
Nov 8, 2023

B D And F

Daniel76Options: BD
Nov 19, 2023

B,D and F. https://blog.awsfundamentals.com/aws-cloudformation-execution-permissions

Daniel76
Jan 1, 2024

Consider this article to justify F: passrole is needed so that team member who has limited permission by their own role, can run the stack using service role's permissions. https://medium.com/@sapna.mandhare/demystifying-iam-passrole-permission-d62a2dc69778

vincentsr7
Dec 13, 2023

why not A , dont we need a composite principal

brpjp
Jan 1, 2024

Yes, Correct answer is B D F, based on numbers of linked already provided and passrole from ChatGpt.

RaphaelloOptions: BDE
Feb 10, 2024

BDE Create a service role to be used by CloudFormation. For each service to be used by the CF stack, create the associated set of permissions. Assign the service role to the stack. The question does not feel right though, since it mentions all user assume an IAM role to access the account, therefore the stack they launch should use the permissions given to that IAM role, therefore the result should be the same for all users either (they don't launch the stack using their individual IAM users).

Raphaello
Feb 19, 2024

Ok, looking again at the options of this question, option D is a bit tricky. Yes you need to create permissions to CF service role, but there's nothing like "ARN of each service" to be added to the resource field. ARN's belong to resources not services, and in CF service role, resource element usually takes "*"; but even if you want to specify a resource it will be something like (arn:aws:s3:::my_bucket/*) NOT ARN OF EACH SERVICE! ARN <--> Resource..not service. For that, I would go with BEF. "F" (users being able to iam:PassRole) is important and the option is worded correctly. D is not worded correctly, as it starts with a correct part, but ended it with bogus! BEF.

shailvardhanOptions: BE
May 28, 2024

BEF are the correct answers.

cumzle_comOptions: BDE
Jun 18, 2024

B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts action. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html#using-iam-servicerole-add E. Update each stack to use the service role. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

5409b91Options: BDE
Jul 15, 2024

B, D, E.