Answer-first summary for fast verification
Answer: Create a new IAM user for the deployment engineer and add the IAM user to a group that has an IAM policy that allows AWS CloudFormation actions only., Create an IAM role for the deployment engineer to explicitly define the permissions specific to the AWS CloudFormation stack and launch stacks using that IAM role.
## Explanation The principle of least privilege means granting only the minimum permissions necessary to perform a job function. Let's analyze each option: **A. Use AWS account root user credentials** - ❌ **Incorrect** - Root user has full access to all AWS services and resources - This violates the principle of least privilege - Root credentials should never be used for daily operations **B. Add to group with PowerUsers IAM policy** - ❌ **Incorrect** - PowerUsers policy grants full access to AWS services and resources except IAM management - Still provides excessive permissions beyond what's needed for CloudFormation operations **C. Add to group with AdministratorAccess IAM policy** - ❌ **Incorrect** - AdministratorAccess provides full AWS access - This is the opposite of least privilege **D. Create IAM user with CloudFormation-only policy** - ✅ **Correct** - This follows least privilege by granting only CloudFormation permissions - The engineer can perform CloudFormation operations but nothing else - Can be combined with resource-level permissions for specific stacks **E. Create IAM role for CloudFormation stack operations** - ✅ **Correct** - IAM roles allow temporary security credentials - Can define precise permissions for CloudFormation operations - Supports cross-account access if needed - Can be assumed by the deployment engineer **Why D and E are correct:** - **Option D** provides the most restrictive approach using IAM users with minimal permissions - **Option E** provides a more flexible approach using IAM roles with temporary credentials - Both options adhere to the principle of least privilege by granting only necessary CloudFormation permissions - The combination ensures the deployment engineer can perform their job without excessive access **Best Practice:** 1. Use IAM roles over IAM users when possible for temporary credentials 2. Create custom policies with only required CloudFormation actions 3. Include resource-level permissions to restrict which stacks can be managed 4. Use conditions to further restrict access if needed
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A new employee has joined a company as a deployment engineer. The deployment engineer will be using AWS CloudFormation templates to create multiple AWS resources. A solutions architect wants the deployment engineer to perform job activities while following the principle of least privilege.
Which combination of actions should the solutions architect take to accomplish this goal? (Choose two.)
A
Have the deployment engineer use AWS account root user credentials for performing AWS CloudFormation stack operations.
B
Create a new IAM user for the deployment engineer and add the IAM user to a group that has the PowerUsers IAM policy attached.
C
Create a new IAM user for the deployment engineer and add the IAM user to a group that has the AdministratorAccess IAM policy attached.
D
Create a new IAM user for the deployment engineer and add the IAM user to a group that has an IAM policy that allows AWS CloudFormation actions only.
E
Create an IAM role for the deployment engineer to explicitly define the permissions specific to the AWS CloudFormation stack and launch stacks using that IAM role.