
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
The following IAM policy is attached to an IAM group. This is the only policy applied to the group.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
}
},
{
"Sid": "2",
"Effect": "Deny",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": false}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
}
},
{
"Sid": "2",
"Effect": "Deny",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": false}
}
}
]
}
What are the effective IAM permissions of this policy for group members?
A
Group members are permitted any Amazon EC2 action within the us-east-1 Region. Statements after the Allow permission are not applied.
B
Group members are denied any Amazon EC2 permissions in the us-east-1 Region unless they are logged in with multi-factor authentication (MFA).
C
Group members are allowed the ec2:StopInstances and ec2:TerminateInstances permissions for all Regions when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon EC2 action.
D
Group members are allowed the ec2:StopInstances and ec2:TerminateInstances permissions for the us-east-1 Region only when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon EC2 action within the us-east-1 Region.
Explanation:
Let's analyze the IAM policy step by step:
ec2:* (all EC2 actions)* (all resources)us-east-1This statement allows ALL EC2 actions, but ONLY when performed in the us-east-1 region.
ec2:StopInstances and ec2:TerminateInstances* (all resources)BoolIfExists: {"aws:MultiFactorAuthPresent": false}This statement denies the StopInstances and TerminateInstances actions when MFA is NOT present (false). The BoolIfExists operator means the condition is evaluated only if the aws:MultiFactorAuthPresent key exists in the request context.
us-east-1 region.us-east-1 region only.aws:MultiFactorAuthPresent: false is not met)us-east-1)StopInstances and TerminateInstances are allowed only in us-east-1 with MFAus-east-1StopInstances and TerminateInstances require MFA, not all EC2 actionsus-east-1 onlyKey IAM Concepts:
BoolIfExists evaluates to true only if the condition key exists AND its value matches