Answer: Deleting Amazon EC2 instances

## Explanation In AWS IAM, when multiple policies are attached to a principal (user, group, or role), the effective permissions are determined by evaluating all statements: 1. **Policy 1** grants broad permissions: - `iam:Get*` and `iam:List*` - Allows GET and LIST operations on IAM resources - `ec2:*` - Allows ALL EC2 operations (including delete) - `ds:*` - Allows ALL Directory Service operations (including delete) - `logs:Get*` and `logs:Describe*` - Allows GET and DESCRIBE operations on CloudWatch Logs 2. **Policy 2** explicitly denies `ds:Delete*` operations on Directory Service. 3. **AWS IAM evaluation logic**: - **Explicit DENY** always overrides ALLOW - If no explicit DENY, then ALLOW statements are evaluated - If no statements match, the default is DENY **Analyzing each option:** **A. Deleting IAM users** - ❌ NOT allowed - Policy 1 only grants `iam:Get*` and `iam:List*` operations - `iam:Delete*` operations are NOT included - No explicit DENY, but no ALLOW either → DENY by default **B. Deleting directories** - ❌ NOT allowed - Policy 1 grants `ds:*` which would include `ds:Delete*` - BUT Policy 2 explicitly DENIES `ds:Delete*` - Explicit DENY overrides ALLOW → DENY **C. Deleting Amazon EC2 instances** - ✅ ALLOWED - Policy 1 grants `ec2:*` which includes ALL EC2 operations - No explicit DENY for EC2 delete operations - ALLOW statement applies → ALLOWED **D. Deleting logs from Amazon CloudWatch Logs** - ❌ NOT allowed - Policy 1 only grants `logs:Get*` and `logs:Describe*` - `logs:Delete*` operations are NOT included - No explicit DENY, but no ALLOW either → DENY by default **Key IAM concepts demonstrated:** - Wildcard permissions (`*`) grant all operations for that service - Explicit DENY statements take precedence over ALLOW statements - Permission evaluation follows: DENY → ALLOW → DENY (default) - Service-specific permissions must be explicitly granted or denied

Author: LeetQuiz Editorial Team