Which solution will meet these requirements?
Create an IAM policy that allows the developers to provision the required resources. Attach the policy to the developer IAM role.
Create an IAM policy that allows full access to AWS CloudFormation. Attach the policy to the developer IAM role.
Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role a cloudforrnation:* action. Use the new service role during stack deployments.
Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.
Explanations:
This option allows the developer IAM role to provision the required resources, but it doesn’t follow the principle of least privilege. The developers would have direct permissions to provision resources, which might be more than necessary. The required permissions should be granted through the use of a CloudFormation service role to limit direct access.
This option gives the developer IAM role full access to AWS CloudFormation. This does not follow the principle of least privilege, as it provides broader access than necessary to CloudFormation. Developers should only have permission to deploy stacks via a controlled service role, not full administrative access to CloudFormation.
While this option suggests using an AWS CloudFormation service role, it grants a broad permission (cloudformation:*), which is not the least privileged option. It provides more permissions than necessary, as only specific actions for stack deployment should be allowed.
This option follows the principle of least privilege by creating an AWS CloudFormation service role with the necessary permissions, and granting the developer IAM role theiam:PassRolepermission. This allows developers to pass the service role when deploying stacks without giving them direct access to provision resources, ensuring proper access control.
It appears that the answer is:
Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.