Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 74 discussion

Tricky one. Question has a hint -"to enforce the new restriction on the IAM role" (note its not IAM policy as mentioned in option B) Creating a policy with approved resources first and assuming/applying that role to engineers will enforce. So C is correct. (B lacks enforcement, B is incorrect)

C is correct not B , AWS CloudFormation makes calls to create, modify, and delete those resources on their behalf. To separate permissions between a user and the AWS CloudFormation service, use a service role. AWS CloudFormation uses the service role's policy to make calls instead of the user's policy. For more information, see AWS CloudFormation service role . check this out . https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html Option B would allow engineers to provision resources using other methods outside of CloudFormation, which would not comply with the new company policy. This would make it difficult to enforce the new restriction on the IAM role that the engineers use for access.

To enforce a policy where engineers can only provision approved resources via AWS CloudFormation, assign engineers IAM policies that only permit CloudFormation actions, and use a separate IAM service role for CloudFormation that allows only approved resource types. This setup ensures engineers cannot bypass restrictions, and provisioning is limited to approved services defined by the service role.

C. Update the IAM policy for the engineers’ IAM role with permissions to only allow AWS CloudFormation actions. Create a new IAM policy with permission to provision approved resources, and assign the policy to a new IAM service role. Assign the IAM service role to AWS CloudFormation during stack creation.

C, use the IAM service role to execute the stack

Option C is the most effective solution. It involves updating the engineers’ IAM role to only allow actions related to AWS CloudFormation, effectively preventing direct provisioning or modification of AWS resources outside of CloudFormation. By creating a service role (with permissions to provision approved resources) that CloudFormation assumes when executing templates, you enforce the provisioning of only approved resources through CloudFormation. This setup provides a clear separation of permissions: engineers can manage CloudFormation stacks but cannot directly create resources unless defined in a CloudFormation template and permitted by the service role. Option B suggests updating the IAM policy to allow only the provisioning of approved resources and CloudFormation actions. This approach could theoretically work by explicitly listing allowed actions for specific AWS services in the IAM policy. However, it might be challenging to maintain and could inadvertently permit actions outside of CloudFormation, depending on the policy’s specificity.

A = doesn't prevent to have a CloudFromation template with non-approved resources deployed B = this doesn't prevent engineers to provision resources from console or cli C = correct D = doesn't prevent to provision non-approved resources or to provision only via CloudFormation

B would be created generally in organization. C is fine , but more restriction , the user can only use the cloud formation stack sets only which is not good for organization level.

with B engineer will be able to directly provision resources without using of CF

The two contenders are Option B and C. Option B would allow the users to provision the approved resources without using CloudFormation (as the Users’ IAM role would permission that). So, this violates the requirement. Option C would ensure that Only Cloudformation can provision the resources. So, that’s the correct answer.

I prefer C, because you need to give permission to cloud formation

C no doubt

C. Update the IAM policy for the engineers’ IAM role with permissions to only allow AWS CloudFormation actions.

C IAM policy is allowing to provision of approved resources.

B does not enfore CF, otherwise it would work.

C https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#use-iam-to-control-access https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

You have to use a service role