Question #941
A solutions architect is deploying a monitoring tool across multiple new AWS Regions using an AWS CloudFormation stack set. The stack set's template includes an IAM role with a custom name. After creating the stack set, all stack instances fail to deploy. What should the solutions architect do to resolve this issue?
Enable the new Regions in all relevant accounts. Specify the CAPABILITYNAMEDIAM capability during the creation of the stack set.
Use the Service Quotas console to request a quota increase for the number of IAM roles in each new Region in all relevant accounts. Specify the CAPABILITY_IAM capability during the creation of the stack set.
Specify the CAPABILITYNAMEDIAM capability and the SERVICE_MANAGED permissions model during the creation of the stack set.
Specify an administration role ARN and the CAPABILITYAUTOEXPAND capability during the creation of the stack set.
Explanation
Answer A is correct because AWS CloudFormation requires explicit acknowledgment via the CAPABILITYNAMEDIAM capability when creating IAM resources with custom names. Without this, stack deployments fail. Enabling new Regions in all accounts ensures resources can be deployed there. Other options are incorrect because:
- B: The issue isn't IAM role quotas but missing capability.
- C: SERVICEMANAGED permissions model isn't directly related to IAM capability requirements.
- D: CAPABILITYAUTOEXPAND applies to macros, not IAM resources.
Key Points:
1. Use CAPABILITYNAMED_IAM for custom-named IAM resources.
2. Ensure Regions are enabled in target accounts before deployment.
Answer
The correct answer is: A