AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company uses Amazon EC2 instances to host its internal systems. As part of a deployment operation, an administrator tries to use the AWS CLI to terminate an EC2 instance. However, the administrator receives a 403 (Access Denied) error message.

The administrator is using an IAM role that has the following IAM policy attached:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:TerminateInstances"],
      "Resource": ["*"]
    },
    {
      "Effect": "Deny",
      "Action": ["ec2:TerminateInstances"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "192.0.2.0/24",
            "203.0.113.0/24"
          ]
        }
      },
      "Resource": ["*"]
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:TerminateInstances"],
      "Resource": ["*"]
    },
    {
      "Effect": "Deny",
      "Action": ["ec2:TerminateInstances"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "192.0.2.0/24",
            "203.0.113.0/24"
          ]
        }
      },
      "Resource": ["*"]
    }
  ]
}

What is the cause of the unsuccessful request?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

The EC2 instance has a resource-based policy with a Deny statement.

The principal has not been specified in the policy statement.

The "Action" field does not grant the actions that are required to terminate the EC2 instance.

The request to terminate the EC2 instance does not originate from the CIDR blocks 192.0.2.0/24 or 203.0.113.0/24.

Explanation:

Explanation

The correct answer is D because:

Policy Analysis: The IAM policy contains two statements:
- First statement: Allows ec2:TerminateInstances on all resources ("*")
- Second statement: Denies ec2:TerminateInstances with a condition NotIpAddress for the source IP
Condition Logic: The condition "NotIpAddress": { "aws:SourceIp": ["192.0.2.0/24", "203.0.113.0/24"] } means:
- DENY the action if the request DOES NOT originate from the specified IP ranges
- In other words: Only allow termination requests from IPs 192.0.2.0/24 or 203.0.113.0/24
IAM Evaluation Logic: In AWS IAM:
- Explicit DENY statements always override ALLOW statements
- The request is evaluated against both statements
- If the request comes from an IP outside the specified ranges, the DENY statement applies
- The administrator receives a 403 Access Denied error
Why Other Options Are Incorrect:
- A: EC2 instances don't have resource-based policies; they use security groups and network ACLs
- B: The principal is specified when the IAM role is assumed; it's not required in the policy itself
- C: The Action field explicitly grants ec2:TerminateInstances, which is the correct action

Key Takeaway: When using IP-based conditions in IAM policies, ensure the request originates from the allowed IP ranges. The NotIpAddress condition combined with Deny effect creates a whitelist where only requests from specified IPs are allowed.

Powered ByGPT-5.2

Comments

Loading comments...