New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon DOP-C02 Exam - Topic 2 Question 13 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 13
Topic #: 2
[All DOP-C02 Questions]

A company's development team uses AVMS Cloud Formation to deploy its application resources The team must use for an changes to the environment The team cannot use AWS Management Console or the AWS CLI to make manual changes directly.

The team uses a developer IAM role to access the environment The role is configured with the Admnistratoraccess managed policy. The company has created a new Cloudformationdeployment IAM role that has the following policy.

The company wants ensure that only CloudFormation can use the new role. The development team cannot make any manual changes to the deployed resources.

Which combination of steps meet these requirements? (Select THREE.)

Show Suggested Answer Hide Answer
Suggested Answer: A, D, F

A comprehensive and detailed explanation is:

Option A is correct because removing the AdministratorAccess policy and assigning the ReadOnlyAccess managed IAM policy to the developer role is a valid way to prevent the developers from making any manual changes to the deployed resources. The AdministratorAccess policy grants full access to all AWS resources and actions, which is not necessary for the developers. The ReadOnlyAccess policy grants read-only access to most AWS resources and actions, which is sufficient for the developers to view the status of their stacks. Instructing the developers to use the CloudFormationDeployment role as a CloudFormation service role when they deploy new stacks is also a valid way to ensure that only CloudFormation can use the new role. A CloudFormation service role is an IAM role that allows CloudFormation to make calls to resources in a stack on behalf of the user1. The user can specify a service role when they create or update a stack, and CloudFormation will use that role's credentials for all operations that are performed on that stack1.

Option B is incorrect because updating the trust of CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDeployment role is not a valid solution. This would allow the developers to manually assume the CloudFormationDeployment role and perform actions on the deployed resources, which is not what the company wants. The trust of CloudFormationDeployment role should only allow the cloudformation.amazonaws.com AWS principal to assume the role, as in option D.

Option C is incorrect because configuring the IAM user to be able to get and pass the CloudFormationDeployment role if cloudformation actions for resources is not a valid solution. This would allow the developers to manually pass the CloudFormationDeployment role to other services or resources, which is not what the company wants. The IAM user should only be able to pass the CloudFormationDeployment role as a service role when they create or update a stack with CloudFormation, as in option A.

Option D is correct because updating the trust of CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action is a valid solution. This allows CloudFormation to assume the CloudFormationDeployment role and access resources in other services on behalf of the user2. The trust policy of an IAM role defines which entities can assume the role2. By specifying cloudformation.amazonaws.com as the principal, you grant permission only to CloudFormation to assume this role.

Option E is incorrect because instructing the developers to assume the CloudFormationDeployment role when they deploy new stacks is not a valid solution. This would allow the developers to manually assume the CloudFormationDeployment role and perform actions on the deployed resources, which is not what the company wants. The developers should only use the CloudFormationDeployment role as a service role when they deploy new stacks with CloudFormation, as in option A.

Option F is correct because adding an IAM policy to CloudFormationDeployment that allows cloudformation:* on all resources and adding a policy that allows the iam:PassRole action for ARN of CloudFormationDeployment if iam:PassedToService equals cloudformation.amazonaws.com are valid solutions. The first policy grants permission for CloudFormationDeployment to perform any action with any resource using cloudformation.amazonaws.com as a service principal3. The second policy grants permission for passing this role only if it is passed by cloudformation.amazonaws.com as a service principal4. This ensures that only CloudFormation can use this role.

References:

1: AWS CloudFormation service roles

2: How to use trust policies with IAM roles

3: AWS::IAM::Policy

4: IAM: Pass an IAM role to a specific AWS service


by Yolando at Oct 22, 2023, 12:37 PM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Alysa
3 months ago
Not sure about E, seems a bit off to me.
upvoted 0 times
...
Dorethea
3 months ago
Removing AdministratorAccess is a must, for sure!
upvoted 0 times
...
Lorita
3 months ago
Wait, can you really restrict all manual changes like that?
upvoted 0 times
...
Jennifer
4 months ago
I think option D is definitely the right move here.
upvoted 0 times
...
Chun
4 months ago
Sounds like a classic case of least privilege principle!
upvoted 0 times
...
Ashlyn
4 months ago
I feel like I might mix up the policies. I remember something about allowing the iam:PassRole action, but I'm not sure if it's necessary for this scenario.
upvoted 0 times
...
Walker
4 months ago
This question feels familiar. I think we practiced a similar one where we had to configure IAM roles for different services. I believe updating the trust policy for CloudFormation is crucial here.
upvoted 0 times
...
Eun
4 months ago
I'm a bit unsure about the trust relationships. I think we need to allow CloudFormation to assume the new role, but I can't recall if it's the developer role or the service principal that needs the trust update.
upvoted 0 times
...
Wendell
5 months ago
I remember we discussed the importance of restricting permissions for roles, especially when using CloudFormation. I think removing the AdministratorAccess policy is a good step.
upvoted 0 times
...
Ernest
5 months ago
Right, and we need to make sure the developers are instructed to use the CloudFormationDeployment role as the service role when deploying new stacks. That way, they can't bypass the restrictions.
upvoted 0 times
...
Theola
5 months ago
Yeah, that makes sense. And we should also remove the AdministratorAccess policy from the developer role and assign a ReadOnlyAccess policy instead, to limit their permissions.
upvoted 0 times
...
Dana
5 months ago
I think the key is to update the trust policy of the CloudFormationDeployment role to allow the CloudFormation service to assume that role. That way, the developers can use it when deploying new stacks, but no one else can.
upvoted 0 times
...
Kristal
5 months ago
Okay, let's think this through step-by-step. We need to ensure that only CloudFormation can use the new CloudFormationDeployment role, and the development team can't make any manual changes to the deployed resources.
upvoted 0 times
...
Art
5 months ago
This question seems straightforward, but I want to make sure I understand the requirements correctly before I start answering.
upvoted 0 times
...
Trina
5 months ago
This looks like a straightforward question about Logstash's capabilities. I'll need to carefully review the options and think through which ones Logstash can handle on its own.
upvoted 0 times
...
Tamekia
5 months ago
Okay, I think the key here is to look for the security solution that specifically addresses the bank's needs. I'll review the options and try to identify the most relevant one.
upvoted 0 times
...
Taryn
5 months ago
I'm a bit unsure about this one. The question mentions Dynamics 365 Supply Chain Management, but none of the options seem directly related to that. I'll need to think through the features and how they might integrate with Dynamics 365.
upvoted 0 times
...
Lisbeth
5 months ago
Hmm, I'm not too familiar with these wireless tools, so I'll need to think this through carefully. The key features mentioned seem to match Kismet, but I want to double-check the other options just to be sure.
upvoted 0 times
...
Julio
2 years ago
Haha, yeah, better safe than sorry, right? Gotta cover all our bases on this one. I'm feeling confident that we can nail this question if we work through it together.
upvoted 0 times
...
Alesia
2 years ago
Good point. I'm leaning more towards options D and F. Allowing the CloudFormation service to assume the deployment role, and adding the necessary IAM permissions, seems like the way to go.
upvoted 0 times
...
Paola
2 years ago
Yes, those look like the most promising options. Though I wonder if we also need to consider adding the iam:PassRole permission to the CloudFormation service, just to be extra sure.
upvoted 0 times
...

Save Cancel