Answer-first summary for fast verification
Answer: The request to terminate the EC2 instance does not originate from the CIDR blocks 192.0.2.0/24 or 203.0.113.0/24.
## Explanation The correct answer is **D** because: 1. **Policy Analysis**: The IAM policy contains two statements: - First statement: Allows `ec2:TerminateInstances` on all resources (`"*"`) - Second statement: Denies `ec2:TerminateInstances` with a condition `NotIpAddress` for the source IP 2. **Condition Logic**: The condition `"NotIpAddress": { "aws:SourceIp": ["192.0.2.0/24", "203.0.113.0/24"] }` means: - **DENY** the action if the request **DOES NOT** originate from the specified IP ranges - In other words: Only allow termination requests from IPs 192.0.2.0/24 or 203.0.113.0/24 3. **IAM Evaluation Logic**: In AWS IAM: - Explicit DENY statements always override ALLOW statements - The request is evaluated against both statements - If the request comes from an IP outside the specified ranges, the DENY statement applies - The administrator receives a 403 Access Denied error 4. **Why Other Options Are Incorrect**: - **A**: EC2 instances don't have resource-based policies; they use security groups and network ACLs - **B**: The principal is specified when the IAM role is assumed; it's not required in the policy itself - **C**: The Action field explicitly grants `ec2:TerminateInstances`, which is the correct action **Key Takeaway**: When using IP-based conditions in IAM policies, ensure the request originates from the allowed IP ranges. The `NotIpAddress` condition combined with `Deny` effect creates a whitelist where only requests from specified IPs are allowed.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company uses Amazon EC2 instances to host its internal systems. As part of a deployment operation, an administrator tries to use the AWS CLI to terminate an EC2 instance. However, the administrator receives a 403 (Access Denied) error message.
The administrator is using an IAM role that has the following IAM policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource": ["*"]
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
},
"Resource": ["*"]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource": ["*"]
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
},
"Resource": ["*"]
}
]
}
What is the cause of the unsuccessful request?
A
The EC2 instance has a resource-based policy with a Deny statement.
B
The principal has not been specified in the policy statement.
C
The "Action" field does not grant the actions that are required to terminate the EC2 instance.
D
The request to terminate the EC2 instance does not originate from the CIDR blocks 192.0.2.0/24 or 203.0.113.0/24.