Which solution will meet these requirements?
Create an IAM policy that allows the developers to provision the required resources. Attach the policy to the developer IAM role.
Create an IAM policy that allows full access to AWS CloudFormation. Attach the policy to the developer IAM role.
Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role a cloudformation:* action. Use the new service role during stack deployments.
Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.
Explanations:
Granting developers direct permissions to provision all required resources does not follow the principle of least privilege, as they would have broad access outside of CloudFormation.
Giving full access to AWS CloudFormation grants excessive permissions beyond what is necessary for stack deployments, violating the principle of least privilege.
Granting developerscloudformation:*permissions provides overly broad access to CloudFormation operations, which does not adhere to least privilege principles.
Creating a CloudFormation service role with the necessary permissions and granting developersiam:PassRolepermission ensures that they can deploy stacks through CloudFormation without direct access to underlying resources, adhering to the least privilege principle.
I conclude that the answer is:
Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.