Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 412 discussion

Some stack templates might include resources that can affect permissions in your AWS account; for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge this by specifying one of these capabilities. https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html

Question says "several previously unused AWS Regions" so you have to enable them under the Account first ? And the CAPABILITY_NAMED_IAM for the custom name

The correct answer is A. When deploying a CloudFormation stack set to multiple Regions, you need to ensure that the IAM role has sufficient permissions to create stacks in those Regions. The issue here is likely due to a limitation on the number of CloudFormation stacks that can be created in a Region. To resolve this issue, you should: Enable the new Regions in all relevant accounts. Specify the CAPABILITY_NAMED_IAM capability during the creation of the stack set. This allows AWS to create stacks without having to manage IAM roles for each stack instance.

A seems to be the right choice

C is the answer. The following resources require you to specify CAPABILITY_IAM or CAPABILITY_NAMED_IAM: AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, and AWS::IAM::Role. If the application contains IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM. With self-managed permissions, you create the AWS Identity and Access Management (IAM) roles required by StackSets to deploy across accounts and AWS Regions. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html https://docs.aws.amazon.com/serverlessrepo/latest/devguide/acknowledging-application-capabilities.html

Proper answer is - A We want to create Cloudformation stack that contains IAM role with custom name - so we need to set CAPABILITY_NAMED_IAM

Correct A