AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A solutions architect has created two IAM policies: Policy1 and Policy2. Both policies are attached to an IAM group.

Policy 1

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "kms:List*",
        "ec2:*",
        "ds:*",
        "logs:Get*",
        "logs:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "kms:List*",
        "ec2:*",
        "ds:*",
        "logs:Get*",
        "logs:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

Policy 2

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ds:Delete*",
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ds:Delete*",
      "Resource": "*"
    }
  ]
}

A cloud engineer is added as an IAM user to the IAM group. Which action will the cloud engineer be able to perform?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Deleting IAM users

Deleting directories

Deleting Amazon EC2 instances

Deleting logs from Amazon CloudWatch Logs

Explanation:

Explanation

In AWS IAM, when multiple policies are attached to a principal (user, group, or role), the effective permissions are determined by evaluating all statements:

Policy 1 grants broad permissions:
- iam:Get* and iam:List* - Allows GET and LIST operations on IAM resources
- ec2:* - Allows ALL EC2 operations (including delete)
- ds:* - Allows ALL Directory Service operations (including delete)
- logs:Get* and logs:Describe* - Allows GET and DESCRIBE operations on CloudWatch Logs
Policy 2 explicitly denies ds:Delete* operations on Directory Service.
AWS IAM evaluation logic:
- Explicit DENY always overrides ALLOW
- If no explicit DENY, then ALLOW statements are evaluated
- If no statements match, the default is DENY

Analyzing each option:

A. Deleting IAM users - ❌ NOT allowed

Policy 1 only grants iam:Get* and iam:List* operations
iam:Delete* operations are NOT included
No explicit DENY, but no ALLOW either → DENY by default

B. Deleting directories - ❌ NOT allowed

Policy 1 grants ds:* which would include ds:Delete*
BUT Policy 2 explicitly DENIES ds:Delete*
Explicit DENY overrides ALLOW → DENY

C. Deleting Amazon EC2 instances - ✅ ALLOWED

Policy 1 grants ec2:* which includes ALL EC2 operations
No explicit DENY for EC2 delete operations
ALLOW statement applies → ALLOWED

D. Deleting logs from Amazon CloudWatch Logs - ❌ NOT allowed

Policy 1 only grants logs:Get* and logs:Describe*
logs:Delete* operations are NOT included
No explicit DENY, but no ALLOW either → DENY by default

Key IAM concepts demonstrated:

Wildcard permissions (*) grant all operations for that service
Explicit DENY statements take precedence over ALLOW statements
Permission evaluation follows: DENY → ALLOW → DENY (default)
Service-specific permissions must be explicitly granted or denied

Powered ByGPT-5.2

Comments

Loading comments...