A large enterprise wants to adopt Cloud Formation to automate administrative tasks and implement the security principles of least privilege and separation of duties. They have identified the following roles with the corresponding tasks in the company: Network administrators: create, modify and delete VPCs, subnets, NACLs, routing tables and security groups. Application operators: deploy complete application stacks (ELB, Auto-Scaling groups, RDS) whereas all resources must be deployed in the VPCs managed by the network administrators. Both groups must maintain their own Cloud Formation templates and should be able to create, update and delete only their own Cloud Formation stacks. The company has followed your advice to create two IAM groups, one for applications and one for networks. Both IAM groups are attached to IAM policies that grant rights to perform the necessary task of each group as well as the creation, update, and deletion of Cloud Formation stacks. Given setup and requirements, which statements represent valid design considerations? Choose 2 options from the below:
A. Network stack updates will fail upon attempts to delete a subnet with EC2 instances.
B. Restricting the launch of EC2 instances into VPCs requires resource level permissions in the IAM policy of the application group.
C. Nesting network stacks within application stacks simplifies management and debugging, but requires resource level permissions in the IAM policy of the network group.
D. The application stack cannot be deleted before all network stacks are deleted.
E. Unless resource level permissions are used on the cloud formation: Delete Stack action, network administrators could tear down application stacks.