What should the solutions architect do to create the solution?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company is running several workloads in a single AWS account.A new company policy states that engineers can provision only approved resources and that engineers must use AWS CloudFormation to provision these resources.A solutions architect needs to create a solution to enforce the new restriction on the IAM role that the engineers use for access.

What should the solutions architect do to create the solution?

Upload AWS CloudFormation templates that contain approved resources to an Amazon S3 bucket. Update the IAM policy for the engineers’ IAM role to only allow access to Amazon S3 and AWS CloudFormation. Use AWS CloudFormation templates to provision resources.

Update the IAM policy for the engineers’ IAM role with permissions to only allow provisioning of approved resources and AWS CloudFormation. Use AWS CloudFormation templates to create stacks with approved resources.

Update the IAM policy for the engineers’ IAM role with permissions to only allow AWS CloudFormation actions. Create a new IAM policy with permission to provision approved resources, and assign the policy to a new IAM service role. Assign the IAM service role to AWS CloudFormation during stack creation.

Provision resources in AWS CloudFormation stacks. Update the IAM policy for the engineers’ IAM role to only allow access to their own AWS CloudFormation stack.

Explanations:

This option restricts IAM permissions to Amazon S3 and CloudFormation but does not control which resources can be provisioned within CloudFormation. Engineers could still use non-approved templates for resource provisioning.

While restricting the IAM role permissions to approved resources and CloudFormation, this approach does not enforce template-based restrictions. Engineers could still include non-approved resources within their templates.

This solution limits engineers’ permissions to CloudFormation-only actions, while an IAM service role with specific permissions to approved resources restricts what resources CloudFormation can provision on behalf of engineers.

Restricting access to engineers’ own stacks does not enforce using only approved resources or templates; engineers would still be able to create stacks with unapproved resources within their own stack.

2025-10-17

1 Comment

  1. Joshua
    Author

    I weigh that the answer is:
    Update the IAM policy for the engineers’ IAM role with permissions to only allow AWS CloudFormation actions. Create a new IAM policy with permission to provision approved resources, and assign the policy to a new IAM service role. Assign the IAM service role to AWS CloudFormation during stack creation.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 1 =