SCS-C02 · Question #410
SCS-C02 Question #410: Real Exam Question with Answer & Explanation
The correct answer is A: Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation. Option A is correct because IAM Access Analyzer can analyze CloudTrail logs from the pre-production deployments to automatically generate a least-privilege policy covering only the exact API actions CloudFormation actually called - and by attaching that policy to a CloudFormation
Question
A security engineer needs to run an AWS CloudFormation script. The CloudFormation script builds AWS infrastructure to support a stack that includes web servers and a MySQL database. The stack has been deployed in pre-production environments and is ready for production. The production script must comply with the principle of least privilege. Additionally, separation of duties must exist between the security engineer's IAM account and CloudFormation. Which solution will meet these requirements?
Options
- AUse IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation
- BCreate an IAM policy that allows ec2:* and rds:* permissions. Attach the policy to a new IAM role.
- CUse IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation
- DCreate an IAM policy that allows ec2:* and rds:* permissions. Attach the policy to a new IAM role.
Explanation
Option A is correct because IAM Access Analyzer can analyze CloudTrail logs from the pre-production deployments to automatically generate a least-privilege policy covering only the exact API actions CloudFormation actually called - and by attaching that policy to a CloudFormation service role, the stack runs under its own IAM role rather than the engineer's credentials, satisfying separation of duties.
Option C is likely identical in policy generation but attaches the policy directly to the engineer's IAM account, which collapses the separation of duties - CloudFormation would inherit the engineer's permissions rather than operating independently.
Options B and D use ec2:* and rds:* wildcard permissions, which grant far more access than needed (e.g., ec2:DeleteVpc, rds:DeleteDBInstance) and directly violate the principle of least privilege regardless of where the role is attached.
Memory tip: Think "Access Analyzer = least privilege, Service Role = separation of duties." Whenever an exam question combines both requirements, the answer involves Access Analyzer generating the policy and a CloudFormation service role consuming it - the engineer triggers the stack, but CloudFormation acts under its own identity.
Topics
Community Discussion
No community discussion yet for this question.