Exam AWS Certified Solutions Architect - Professional topic 1 question 597 discussion

A&C seems a better combination.

Between A & E, its better to go with A. In E, they gave option of stack policy. We use stack policy only for updates and as well to avoid any unintentional updates. In this scenario, they had not discussed the requirement of updates on the resources of CloudFormation stack. Between B,C,D - its better to go with B. In option C, they mentioned about inline policy which is not appropriate as we need to embed the policy not attach it and better to use managed policies than inline policies. Inline policies are assigned to service linked roles which is inherited from the parent or user . In option D, its saying to create role to each of the developers which is not the right way in assigning the permissions. A role can be used by multiple developers instead of creating each role to each developer.

AAA CCC 110% sure!

The answer is AC. B(wrong):"Modify the AssumeRolePolicyDocument action to allow the IAM role to be passed to CloudFormation." => this sentence is wrong. "AssumeRolePolicyDocument The trust policy that is associated with this role. Trust policies define which entities can assume the role." We need to use iam:Passrole to pass the role from developer to cloudformation. D(wrong): "create an IAM role for each developer". This sentence is wrong. E(wrong): The newly created role in central account cannot be directly used by CloudFormation to create resources in other account. In addition, similar to S3 bucket policy, CloudFormation stack policy is used to control who can update the stack, rather than allowing the stack to create/manage AWS resource.

C and E

agreed with AC

First we start by looking at either B or E, here E is more detailed and complete answer, so will go with E. Then is between A,C and D. D is not compliant with AWS not best practice to create role for each developer, so then between A and C. My answer would be C as this has an inline policy that prevents the developer from accessing the services directly. So answer is C and E

I'll go with A,C

I'll go with A,C

Here is a proposition of reasoning. First you must start from an account. Between B and E, you choose E because B is tempting (the statement about AssumeRolePolicyDocument looks right if I look this example : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples) but B does not allow you to export your configuration to other accounts. With E, CloudFormation gives itself the rights needed to auto-assign IAM. Then you use CloudFormation (options A, C, D). Remains to give rights to developers (C, D), but between these options, to respect the statement that "developers must not be able to create resources outside of CloudFormation", the only option is C "attach an inline policy to deny access to all other AWS services" not very fine grained, but the only present. Plus D has the keywords "for each developer" which as said by Anila is tedious. Therefore CE would be the right answers (as in the autocorrection, looking at the comments 90% of the answers are supposed to be good and I see discussion about the proposed answers on 50% !)

it's A&C

I would go with A & B. Because C is kinda duplicated with A and developers can manually amend policy by itself if required.

going with AC

I will go with AC

A AND C

A& C is the right answer. E is a misleading option. You need to deploy the CloudFormation template and not just the Stack policy. Moreover, the purpose of the stack policy is to prevent accidental changes to the resources being created by the CloudFormation template which is not the requirement. So A&C is correct.

I'll go with A,C