Which factors could cause this failure?
(Choose two.)
The user’s IAM policy does not allow the cloudformation:CreateStack action.
The user’s IAM policy does not allow the cloudformation:CreateStackSet action.
The user’s IAM policy does not allow the s3:CreateBucket action.
The user’s IAM policy explicitly denies the s3:ListBucket action.
The user’s IAM policy explicitly denies the s3:PutObject action.
Explanations:
The user’s IAM policy must allow thecloudformation:CreateStackaction for them to create a CloudFormation stack. Without this permission, the stack creation will fail regardless of other permissions.
Thecloudformation:CreateStackSetaction is not required for creating a single stack. This action is only relevant for stack sets, which manage multiple stacks across accounts and regions. Therefore, it does not impact the ability to create a stack.
The user’s IAM policy must allow thes3:CreateBucketaction if the CloudFormation template is attempting to create an S3 bucket. Without this permission, the stack creation will fail because the necessary resources cannot be provisioned.
While an explicit deny on thes3:ListBucketaction can prevent the user from listing objects in the bucket, it does not prevent the creation of the bucket itself. Thus, it is not a direct cause of stack creation failure.
An explicit deny on thes3:PutObjectaction would prevent the user from uploading objects to the bucket, but it would not prevent the creation of the bucket itself. Therefore, it does not cause the failure in stack creation.