Explanation:
In AWS IAM, an explicit Deny always overrides an Allow. The first statement grants all EC2 actions (ec2:*), but the second statement explicitly denies TerminateInstances and DeleteVolume. Therefore, the user can perform all EC2 actions except for those two specific blocked actions.
Ultimate access to all questions.
No comments yet.
Question 2
What is the net effect of the following IAM policy on EC2 actions?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances", "ec2:DeleteVolume"],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances", "ec2:DeleteVolume"],
"Resource": "*"
}
]
}
A
No EC2 actions are allowed
B
All EC2 actions are allowed including terminate and delete
C
All EC2 actions are allowed except TerminateInstances and DeleteVolume
D
Only TerminateInstances and DeleteVolume are allowed