AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
A CloudOps engineer runs "cdk deploy" to launch a stack that creates an Amazon ECS task execution role. The deployment consistently fails with the message "User is not authorized to perform iam:PassRole" even though the engineer's IAM user has that permission. The project uses a dedicated CloudFormation execution role named cfn-exec-role that already has AdministratorAccess attached. What is the MOST appropriate way to remediate the failure so the deployment succeeds?
Add a Name tag to the ECS task execution role resource so CloudFormation can reference it during creation.
Attach the iam:PassRole permission to the engineer's IAM user instead of the execution role, then run the deployment again.
Enable CloudFormation termination protection on the stack and retry the deployment to bypass the error.
Add a policy to cfn-exec-role that explicitly allows iam:PassRole on the ARN of the new ECS task execution role and redeploy the stack.
During a CDK deployment, CloudFormation assumes the specified execution role to create resources. Although AdministratorAccess covers most API calls, it does not automatically allow the role to pass other IAM roles. When CloudFormation tries to create the ECS task execution role, it must include that role's ARN in a PassRole call; without explicit iam:PassRole permission for that ARN, the action is denied. Adding a policy statement that grants iam:PassRole on the specific ECS task execution role (or a constrained pattern such as arn:aws:iam:::role/EcsTaskExec) to cfn-exec-role gives CloudFormation the authority it needs. Modifying the engineer's user, changing resource tags, or toggling termination protection does not address the service-role permission that is blocking the stack.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the iam:PassRole permission?