A leading bank has deployed servers using AWS OpsWorks Stacks for configuration management. Financial applications are installed on these servers which are critical for this bank. As per security guidelines, users from the operation team working on these servers should be only able to deploy instances in an AWS OpsWorks Stack but should not be able to clone stacks. 
Which combination of steps should a Sysops administrator take to meet this requirement? (Select TWO)

Answer options:

A.Configure AWS OpsWorks Stacks User Permissions to grant users a Manage permission level to perform stack operations.
B.Configure AWS OpsWorks Stacks User Permissions to deny users from cloning stacks.
C.Configure AWS OpsWorks Stacks User Permissions to grant users a Deploy permission level to perform stack operations.
D.Configure IAM policy to permit users to perform stack operations.
E.Configure IAM policy to deny users from cloning stacks.

Correct Answers: A and E
For the AWS OpsWorks stack, the best practice to grant users permission is using AWS OpsWorks Stacks Permissions Management. AWS OpsWorks Stacks Permissions Management has levels as below.
Deny – Deny permission to interact with the stack.
Show – Permission to view stack configuration.
Deploy - Permission to view stack configuration & deploy apps.
Manage – All permission as with Deploy level & additional permission of creating & deploying instance.
For granular permissions which cannot be granted using AWS OpsWorks Stacks User Permissions, IAM policies can be used.
For the requirement in the above case, permission to deploy instances can be granted using AWS OpsWorks Stacks Permissions Management, while denying permission from cloning stacks can be done using IAM policy.
Option B is incorrect as using AWS OpsWorks Stacks User Permissions, granular level permission to deny users from removing layers is not possible.
Option C is incorrect as AWS OpsWorks Stacks User Permissions should be Manage level & not a Deploy. With Deploy permission level, deploying of instance is not permitted.
Option D is incorrect as per AWS recommendations, AWS OpsWorks Stacks user Permission should be used to grant users access for performing stack operations. IAM policy should be only used for granular controls which are not part of AWS OpsWorks Stacks Permissions management.
For more information on Managing AWS OpsWorks Stacks User Permissions, refer to the following URLs,
https://docs.aws.amazon.com/opsworks/latest/userguide/opsworks-security-users.html
https://docs.aws.amazon.com/opsworks/latest/userguide/best-practices-permissions.html