Which combination of actions should the solutions architect take to accomplish this goal?
(Choose two.)
Have the deployment engineer use AWS account root user credentials for performing AWS CloudFormation stack operations.
Create a new IAM user for the deployment engineer and add the IAM user to a group that has the PowerUsers IAM policy attached.
Create a new IAM user for the deployment engineer and add the IAM user to a group that has the AdministratorAccess IAM policy attached.
Create a new IAM user for the deployment engineer and add the IAM user to a group that has an IAM policy that allows AWS CloudFormation actions only.
Create an IAM role for the deployment engineer to explicitly define the permissions specific to the AWS CloudFormation stack and launch stacks using that IAM role.
Explanations:
Using the AWS account root user credentials violates the principle of least privilege, as it provides unrestricted access to all AWS resources, which is not suitable for a deployment engineer’s role.
While the PowerUsers IAM policy grants permissions to create and manage AWS resources, it does not limit access to only CloudFormation-related actions, which does not adhere to the principle of least privilege.
The AdministratorAccess IAM policy provides full access to all AWS services and resources, which is excessive for a deployment engineer and does not follow the principle of least privilege.
Creating a new IAM user with a group that has a policy allowing only AWS CloudFormation actions aligns with the principle of least privilege, as it restricts access to only the necessary actions needed for the job.
Creating an IAM role that defines specific permissions for AWS CloudFormation allows the deployment engineer to perform necessary actions while adhering to the principle of least privilege, as it can be tailored to just what is needed for stack operations.