Topic 1 Question 18

AWS Certified Security - Specialty

Topic 1 Question 18
A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully. The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks. Which combination of steps will ensure consistent deployment of the stacks MOST securely?

3 つ選択
- Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.
- Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.
- For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.
- For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy.
- Update each stack to use the service role. F Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.
ユーザの投票
コメント(17)
- BEF are the correct selection Thought to consistent deployment of CloudFormation stacks would actually be B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action. E. Update each stack to use the service role. F. Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. These steps ensure that CloudFormation has the necessary permissions through a service role designed specifically for it (B), that each stack is configured to use this service role for deployments (E), and that users have the permission to pass this role to CloudFormation (F), aligning with best practices for security and consistency.
  
  👍 13
  PareshBPatel2024/02/11
- 正解だと思う選択肢: BDE
  B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts action. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the permissions in the resource field of the corresponding policy. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html#using-iam-servicerole-add E. Update each stack to use the service role. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html
  
  👍 6
  cumzle_com2024/06/18
- 正解だと思う選択肢: BDE
  B, D, E.
  
  👍 5
  5409b912024/07/15
シャッフルモード

ユーザの投票

コメント(17)