AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

An Amazon EC2 administrator created the following policy associated with an IAM group containing several users:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:TerminateInstances",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.100.100.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "ec2:Region": "us-east-1"
        }
      }
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:TerminateInstances",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.100.100.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "ec2:Region": "us-east-1"
        }
      }
    }
  ]
}

What is the effect of this policy?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Users can terminate an EC2 instance in any AWS Region except us-east-1.

Users can terminate an EC2 instance with the IP address 10.100.100.1 in the us-east-1 Region.

Users can terminate an EC2 instance in the us-east-1 Region when the user's source IP is 10.100.100.254.

Users cannot terminate an EC2 instance in the us-east-1 Region when the user's source IP is 10.100.100.254.

Explanation:

Explanation

This IAM policy has two statements that work together:

First Statement (Allow):
- Allows the ec2:TerminateInstances action
- Resource: * (all EC2 instances)
- Condition: Source IP must be in the range 10.100.100.0/24
Second Statement (Deny):
- Denies all EC2 actions (ec2:*)
- Resource: * (all EC2 instances)
- Condition: Region is NOT equal to us-east-1

Key Points:

Deny statements override Allow statements in IAM policies
The second statement denies ALL EC2 actions in regions other than us-east-1
The first statement allows termination ONLY when source IP is in 10.100.100.0/24
IP address 10.100.100.254 is within the 10.100.100.0/24 subnet (range: 10.100.100.0 - 10.100.100.255)

Analysis of Options:

A: Incorrect - The deny statement blocks ALL EC2 actions (including termination) in regions other than us-east-1
B: Incorrect - While the IP is correct, this doesn't specify the complete condition (must be in us-east-1 region)
C: CORRECT - Users can terminate EC2 instances in us-east-1 when source IP is 10.100.100.254 (meets both conditions)
D: Incorrect - This is the opposite of what the policy allows

How IAM Policy Evaluation Works:

By default, all requests are denied
Allow statements grant permissions
Deny statements explicitly deny permissions (override allows)
Conditions must be satisfied for statements to apply

In this case:

To terminate an instance, BOTH conditions must be met:
1. Source IP must be in 10.100.100.0/24
2. Region must be us-east-1 (because if it's not us-east-1, the deny statement blocks all EC2 actions)
IP 10.100.100.254 satisfies the IP condition
us-east-1 region satisfies the region condition (avoids the deny)

Powered ByGPT-5.2

Comments

Loading comments...