Which combination of actions should the solutions architect take to accomplish this goal?

Explanations:

Using the root account for any operational tasks is not compliant with the principle of least privilege. It grants excessive permissions that can lead to security risks. Best practices dictate that individual IAM users should be created with specific permissions instead.

The PowerUsers IAM policy provides broad permissions that allow the user to manage all AWS services and resources except for IAM. This does not adhere to the principle of least privilege, as it grants more permissions than necessary for the deployment engineer’s specific tasks.

The Administrators/Access IAM policy grants full access to all AWS services and resources, violating the principle of least privilege. A deployment engineer should only have permissions necessary for deploying and managing CloudFormation stacks, not unrestricted access.

This option aligns with the principle of least privilege by limiting the deployment engineer’s permissions to only those required to perform AWS CloudFormation actions. It ensures that the user can create and manage stacks without unnecessary permissions to other AWS resources.

Creating an IAM role with specific permissions for AWS CloudFormation allows the deployment engineer to perform tasks related to CloudFormation while enforcing the principle of least privilege. It ensures that permissions are tightly scoped to only what is required for stack operations.