Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 18 discussion

BEF are the correct selection Thought to consistent deployment of CloudFormation stacks would actually be B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action. E. Update each stack to use the service role. F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. These steps ensure that CloudFormation has the necessary permissions through a service role designed specifically for it (B), that each stack is configured to use this service role for deployments (E), and that users have the permission to pass this role to CloudFormation (F), aligning with best practices for security and consistency.

B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts action. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html#using-iam-servicerole-add E. Update each stack to use the service role. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

BDF Why D and not E Service role needs: Proper trust policy (addressed by B) Proper permissions policies (addressed by D) Ability for users to pass the role (addressed by F) Stacks configured to use the role (addressed by E) D is more fundamental than E, since the question asks for the MOST secure combination.

BEF is the correct answer

Why Not A, C, or F? Option Reason for Rejection A A composite principal is unnecessary here. CloudFormation is the only service assuming the role, so we only need cloudformation.amazonaws.com. C Adding CloudFormation stack ARNs in the resource field is incorrect because policies should apply to the services being provisioned, not to CloudFormation stacks themselves. F iam:PassRole is only needed when a user or service is delegating a role to another AWS service (e.g., EC2 assuming an IAM role). CloudFormation assumes the role directly, so this step is not required.

BDF Option E: It's not necessary to explicitly update each stack to use the service role. CloudFormation automatically assumes the specified service role when performing stack operations, as long as the role is properly configured with the necessary permissions and trust relationships.

Anyone that voted "D", how can you add "Service Arn" (not Resource ARN) to the "Resource" field in an IAM policy?

BEF IS THE RIGHT ANSWER FOR THIS SCENARIO

In a scenario where E and F are combined as one choice (E) as someone stated then the correct answer would be BCE.

The voting buttons are messed up so it's showing the wrong answer. The answer is 100% definitely BEF but you can't vote for BEF.

For me - BDE looks good.

BDF make more sense to me.

B - the CloudFormation service to needs to assume the role to create the resources E - the stacks needs to use the role to gain permissions F - the IAM user needs the iam:PassRole permission to pass the role to the CloudFormation service

B, D, E.

BEF are the correct answers.

B ensures that CloudFormation has the necessary permissions through a dedicated service role. C restricts the permissions to the specific stacks, following the principle of least privilege. E ensures that each stack uses the service role during deployment.

BEF is correct