AWS Certified CloudOps Engineer – Associate

Get started today

Ultimate access to all questions.

Explanation:

In AWS IAM, an explicit Deny always overrides an Allow. The first statement grants all EC2 actions (ec2:*), but the second statement explicitly denies TerminateInstances and DeleteVolume. Therefore, the user can perform all EC2 actions except for those two specific blocked actions.

Explanation:

Comments (0)

No comments yet.

Question 2

What is the net effect of the following IAM policy on EC2 actions?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": ["ec2:TerminateInstances", "ec2:DeleteVolume"],
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": ["ec2:TerminateInstances", "ec2:DeleteVolume"],
      "Resource": "*"
    }
  ]
}

Exam-Like

Community

Last updated: May 9, 2026 at 15:09

No EC2 actions are allowed

All EC2 actions are allowed including terminate and delete

All EC2 actions are allowed except TerminateInstances and DeleteVolume

Only TerminateInstances and DeleteVolume are allowed