Question #766
A developer is deploying an AWS CloudFormation template that includes explicitly named IAM roles. During deployment, CloudFormation returns an InsufficientCapabilities error. What should the developer do to resolve this issue?
Enable the CAPABILITYAUTOEXPAND capability when deploying the CloudFormation stack.
Deploy the stack using an IAM role with full administrative permissions.
Include the CAPABILITY_IAM capability in the CloudFormation deployment parameters.
Specify the CAPABILITYNAMEDIAM capability during the CloudFormation stack deployment.
Explanation
Answer D is correct because AWS CloudFormation requires explicit acknowledgment via the CAPABILITYNAMEDIAM capability when a template includes IAM resources with custom names (e.g., explicitly named roles or policies). This ensures users understand the security implications of creating IAM resources.
Option C (CAPABILITYIAM) is incorrect because it applies only to IAM resources with auto-generated names. Option A (CAPABILITYAUTOEXPAND) relates to template macros and is irrelevant here. Option B (using an admin role) does not resolve the error because CloudFormation requires explicit capabilities regardless of IAM permissions. The key takeaway is that CAPABILITYNAMEDIAM is mandatory for explicitly named IAM resources, while CAPABILITYIAM is for auto-generated ones.
Answer
The correct answer is: D