AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

The following IAM policy is attached to an IAM group. This is the only policy applied to the group.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:Region": "us-east-1"
        }
      }
    },
    {
      "Sid": "2",
      "Effect": "Deny",
      "Action": [
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {"aws:MultiFactorAuthPresent": false}
      }
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:Region": "us-east-1"
        }
      }
    },
    {
      "Sid": "2",
      "Effect": "Deny",
      "Action": [
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {"aws:MultiFactorAuthPresent": false}
      }
    }
  ]
}

What are the effective IAM permissions of this policy for group members?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Group members are permitted any Amazon EC2 action within the us-east-1 Region. Statements after the Allow permission are not applied.

Group members are denied any Amazon EC2 permissions in the us-east-1 Region unless they are logged in with multi-factor authentication (MFA).

Group members are allowed the ec2:StopInstances and ec2:TerminateInstances permissions for all Regions when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon EC2 action.

Group members are allowed the ec2:StopInstances and ec2:TerminateInstances permissions for the us-east-1 Region only when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon EC2 action within the us-east-1 Region.

Explanation:

Explanation

Let's analyze the IAM policy step by step:

Statement 1 (Sid: "1"):

Effect: Allow
Action: ec2:* (all EC2 actions)
Resource: * (all resources)
Condition: Region must be us-east-1

This statement allows ALL EC2 actions, but ONLY when performed in the us-east-1 region.

Statement 2 (Sid: "2"):

Effect: Deny
Action: ec2:StopInstances and ec2:TerminateInstances
Resource: * (all resources)
Condition: BoolIfExists: {"aws:MultiFactorAuthPresent": false}

This statement denies the StopInstances and TerminateInstances actions when MFA is NOT present (false). The BoolIfExists operator means the condition is evaluated only if the aws:MultiFactorAuthPresent key exists in the request context.

How IAM Policy Evaluation Works:

Explicit Deny overrides Allow: In IAM, an explicit Deny always overrides an Allow, regardless of order.
Conditional Logic: The Deny statement only applies when MFA is NOT present.
Regional Restriction: The Allow statement only applies to us-east-1 region.

Effective Permissions:

For EC2 actions other than StopInstances and TerminateInstances: Allowed in us-east-1 region only.
For StopInstances and TerminateInstances in us-east-1:
- With MFA: Allowed (because the Deny condition aws:MultiFactorAuthPresent: false is not met)
- Without MFA: Denied (because the Deny condition is met)
For any EC2 action in other regions: Denied (because the Allow statement only applies to us-east-1)

Why Option D is Correct:

It correctly states that StopInstances and TerminateInstances are allowed only in us-east-1 with MFA
It correctly states that other EC2 actions are permitted within us-east-1
It respects both the regional restriction and the MFA requirement

Why Other Options are Incorrect:

A: Incorrect because Deny statements DO apply and override Allow statements
B: Incorrect because only StopInstances and TerminateInstances require MFA, not all EC2 actions
C: Incorrect because it says "for all Regions" - the Allow statement restricts to us-east-1 only

Key IAM Concepts:

Explicit Deny always wins over Allow
Conditions are evaluated based on request context
BoolIfExists evaluates to true only if the condition key exists AND its value matches
Policy statements are evaluated independently, not sequentially

Powered ByGPT-5.2

Comments

Loading comments...