A large enterprise wants to adopt CloudFormation to automate administrative tasks and implement the security principles of least privilege and separation of duties. They have identified the following roles with the corresponding tasks in the company.

Answer options:

A.Network stack updates will fail upon attempts to delete a subnet with EC2 instances.
B.Restricting the launch of EC2 instances into VPCs requires resource level permissions in the IAM policy of the application group.
C.Nesting network stacks within application stacks simplifies management and debugging, but requires resource-level permissions in the network group`s IAM policy.
D.The application stack cannot be deleted before all network stacks are deleted.
E.Unless account level permissions are used on the cloud formation: Delete Stack action, network administrators could tear down application stacks.

Answer – A and B
Option A is CORRECT because subnets cannot be deleted with instances in them.
Option B is CORRECT because to launch instances explicitly, we need IAM permissions.
Option C is incorrect because the stacks are created using the application group`s IAM policy when nesting network stacks within application stacks. And the policy should require network-level permissions.
Option D is incorrect because the application stack can be deleted before the network stack.
Option E is incorrect because network administrators need resource-level permission to delete the application stack.
For more information, please visit the below URL-
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html