A team uses AWS CloudFormation to manage infrastructure. They want to deploy a stack that creates an S3 bucket and a DynamoDB table. The S3 bucket name must be unique across all AWS accounts. Which CloudFormation intrinsic function should be used to generate a unique bucket name?
AccountId is globally unique, ensuring bucket name uniqueness.
Why this answer
Option C is correct because the `!Sub 'mybucket-${AWS::AccountId}'` intrinsic function substitutes the AWS::AccountId pseudo parameter, which is guaranteed to be unique per AWS account. Since S3 bucket names must be globally unique across all AWS accounts, appending the account ID ensures the generated name does not conflict with buckets in other accounts. This approach is a common pattern for creating unique resource names in CloudFormation.
Exam trap
The trap here is that candidates may think `!Ref 'AWS::StackName'` or `!Ref 'AWS::Region'` provide sufficient uniqueness, but they overlook the requirement for global uniqueness across all AWS accounts, which only `AWS::AccountId` guarantees.
How to eliminate wrong answers
Option A is wrong because `!Ref 'AWS::StackName'` returns the name of the CloudFormation stack, which is not guaranteed to be unique across AWS accounts—multiple accounts can have stacks with the same name. Option B is wrong because `!GetAtt S3Bucket.Arn` returns the Amazon Resource Name of the S3 bucket, which is only available after the bucket is created, and cannot be used to generate a name before creation. Option D is wrong because `!Select [0, !Split ['-', !Ref 'AWS::Region']]` extracts the first part of the region name (e.g., 'us' from 'us-east-1'), which is not unique across accounts or even across regions within the same account.