nerdexam
ExamsSAP-C02Questions#742
AmazonAmazon

SAP-C02 · Question #742

SAP-C02 Question #742: Real Exam Question with Answer & Explanation

The correct answer is B: In the parent account, edit the trust policy for the role that the EC2 instance needs to assume.. When an instance profile role is recreated, its ARN changes, breaking existing cross-account trust policies; the trust policy of the target role in the parent account must be updated to allow the new ARN of the child account's role to assume it.

Submitted by yuriko_h· Mar 6, 2026Continuous Improvement for Existing Solutions

Question

A solutions architect is creating an AWS CloudFormation template from an existing manually created non-production AWS environment. The CloudFormation template can be destroyed and recreated as needed. The environment contains an Amazon EC2 instance. The EC2 instance has an instance profile that the EC2 instance uses to assume a role in a parent account. The solutions architect recreates the role in a CloudFormation template and uses the same role name. When the CloudFormation template is launched in the child account, the EC2 instance can no longer assume the role in the parent account because of insufficient permissions What should the solutions architect do to resolve this issue?

Options

  • AIn the parent account, edit the trust policy for the role that the EC2 instance needs to assume.
  • BIn the parent account, edit the trust policy for the role that the EC2 instance needs to assume.
  • CUpdate the CloudFormation stack again. Specify only the CAPABILITY_NAMED_IAM capability.
  • DUpdate the CloudFormation stack again. Specify the CAPABILITY_IAM capability and the

Explanation

When an instance profile role is recreated, its ARN changes, breaking existing cross-account trust policies; the trust policy of the target role in the parent account must be updated to allow the new ARN of the child account's role to assume it.

Common mistakes.

  • A. This option is identical to B, implying a potential duplication in the question's choices, but the action described is the correct resolution.
  • C. The CAPABILITY_NAMED_IAM capability is required for CloudFormation to create IAM resources with custom names but does not resolve issues with broken cross-account trust policies due to ARN changes.
  • D. The CAPABILITY_IAM capability is a broader requirement for IAM resource creation via CloudFormation but, like CAPABILITY_NAMED_IAM, it does not fix a broken cross-account trust policy.

Concept tested. Cross-account IAM role trust policies and ARNs

Reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-trustedentity-other-account

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions