Questions 61 to 63
Explanations for questions 61 to 63
We'll cover the following
Question 61
Developers regularly create and update CloudFormation stacks using API calls. For security reasons, you need to ensure that users are restricted to a specified template. How can this be achieved?
- Store the template on Amazon S3, and use a bucket policy to restrict access.
- Create an IAM policy with a Condition: ResourceTypes parameter.
- Create an IAM policy with a Condition: TemplateURL parameter.
- Create an IAM policy with a Condition: StackPolicyURL parameter.
Correct Answer: 3
Explanation:
The cloudformation:TemplateURL lets you specify where the CloudFormation template for a stack action (such as create or update) resides and enforces that it be used.
INCORRECT: “Store the template on Amazon S3, and use a bucket policy to restrict access.” is incorrect. Configuring a bucket policy on the Amazon S3 bucket where you place your templates is a good idea, but it does not enforce CloudFormation to create and update API requests to use the templates in the bucket.
INCORRECT: “Create an IAM policy with a Condition: ResourceTypes parameter.” is incorrect. The CloudFormation API accepts a ResourceTypes parameter. In your API call, you specify which types of resources can be created or updated. This does not control which template is used.
CORRECT: “Create an IAM policy with a Condition: TemplateURL parameter.” is the correct answer.
INCORRECT: “Create an IAM policy with a Condition: StackPolicyURL parameter.” is incorrect. You can ensure that every CloudFormation stack has a stack policy associated with it upon creation with the StackPolicyURL condition. However, this parameter itself is not used to specify the template to use.
References:
https://aws.amazon.com/blogs/devops/aws-cloudformation-security-best-practices/
https://aws.amazon.com/cloudformation/aws-cloudformation-templates/
Level up your interview prep. Join Educative to access 70+ hands-on prep courses.