Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional Review Mode Set 3, Question 14 Reply To: Review Mode Set 3, Question 14

  • Tutorials-Dojo

    Administrator
    August 13, 2023 at 7:52 am

    Hi Mike,

    Thank you for posting your question. Please take note that the question number on our practice exams are jumbled, so your Set 3 – Question 14 is quite different from everyone. Nonetheless, I was able to find the item you are referring to.

    I understand that you are concerned about the use of the launch constraints to authorize users to deploy CloudFormation stacks instead of using template constraints. Let’s check the scenario and options here again to have more context:

    A company wants to employ a new standard that requires the creation of resources through AWS CloudFormation. Due to this, IT administrators need to make sure that users can only deploy stacks from pre-approved CloudFormation templates. They also need to implement a monitoring solution that automatically detects resources that drift from the expected configuration.

    Which actions will accomplish these requirements? (Select TWO.)

    Option 1 – Use CloudFormation service role to authorize users to deploy CloudFormation stacks.

    Option 2 – Use AWS Service Catalog with template constraint to authorize users to deploy CloudFormation stacks.

    Option 3 – Use AWS Service Catalog with launch constraint to authorize users to deploy CloudFormation stacks.

    Option 4 – Create an AWS Config rule that evaluates whether a CloudFormation stack has drifted from the expected configuration.

    Option 5 – Utilize the CloudFormation drift detection feature to detect whether a CloudFormation stack has drifted from the expected configuration.

    Provided Answers: 3 and 4

    Option 3 – Use AWS Service Catalog with launch constraint to authorize users to deploy CloudFormation stacks.

    Option 4 – Create an AWS Config rule that evaluates whether a CloudFormation stack has drifted from the expected configuration.


    Provided explanation:

    An AWS Service Catalog launch constraint specifies the AWS Identity and Access Management (IAM) role that AWS Service Catalog assumes when an end-user launches a product. Without this, end-users must launch and manage products using their own IAM credentials. To do so, they must have permissions for AWS CloudFormation, AWS services that the products use, and AWS Service Catalog. By using a launch role, you can instead limit the end users’ permissions to the minimum they require for that product.

    The option that says: Use CloudFormation service role to authorize users to deploy CloudFormation stacks is incorrect. A CloudFormation service role is simply an IAM role that allows AWS CloudFormation to make calls to resources in a stack on behalf of a user. The correct permissions must be defined in the service role in order for the resources to launch successfully. The service role is implicitly needed and does not impose any constraints on the CloudFormation template.

    The option that says: Use AWS Service Catalog with template constraint to authorize users to deploy CloudFormation stacks is incorrect. The template constraint just limits the options that are available to end-users when they launch a product. It works by narrowing the allowable values for parameters that are defined in the product’s underlying AWS CloudFormation template.

    The option that says: Utilize the CloudFormation drift detection feature to detect whether a CloudFormation stack has drifted from the expected configuration is incorrect because this is still a manual process. You can, however, automate this process by running a scheduled Lambda function that calls the DescribeStackDriftDetectionStatus API operation.


    Launch containts and Template constraints seem to be similar at first glance but these two have distinct difference between them. The former provides the necessary IAM Role for the users to deploy the CloudFormation stacks containing the AWS resources while the latter is more concerned in providing a fine-grained control of the type of AWS resource (e.g. instance type, storage class) that the user can deploy, and not the actual AWS resource or the CloudFormation stack itself.

    Take note that the scenario explicitly mention that you have to “ensure the users can only deploy stacks from pre-approved CloudFormation templates”, and not simply limit the available options that can be utilized in the associated CloudFormation stack of the AWS Service Catalog product. Therefore, the correct type of contraint to use here is the Launch Constraint.


    References:

    https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html

    https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_constraints_template-constraints.html

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo


Skip to content