AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A CloudOps engineer is deploying a CloudFormation template from the AWS CLI. The template creates an AWS Systems Manager (SSM) Automation document that specifies the IAM role CloudOpsAutomationRole in the AssumeRole property. The stack fails with the error "AccessDenied: iam:PassRole is not authorized for arn:aws:iam::123456789012:role/CloudOpsAutomationRole." What is the MOST appropriate fix to allow the stack to succeed without granting excessive permissions?

Include the CAPABILITY_NAMED_IAM flag when running the aws cloudformation create-stack command.
Create a new CloudFormation StackSet administrator role and rerun the deployment.
Add an inline policy that allows iam:PassRole on the CloudOpsAutomationRole ARN to the IAM role that CloudFormation assumes during stack creation.
Attach the AmazonSSMFullAccess managed policy to the CloudOpsAutomationRole so that it can perform additional SSM actions.

Report Issue

Answer Description

When a CloudFormation template references an IAM role in the AssumeRole property of an SSM Automation document, CloudFormation must call iam:PassRole so that Systems Manager can assume that role. The principal that CloudFormation uses during the deployment (the execution role) therefore needs iam:PassRole permission for the specific role ARN. Granting that narrowly scoped permission to the CloudFormation execution role follows the principle of least privilege and resolves the failure. Attaching AmazonSSMFullAccess to the target role, creating a StackSet administrator role, or simply adding CAPABILITY_NAMED_IAM do not give CloudFormation the missing iam:PassRole permission, so the stack would still fail.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.