ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 494 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 494
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company uses Amazon EC2 instances to host its internal systems. As part of a deployment operation, an administrator tries to use the AWS CLI to terminate an EC2 instance. However, the administrator receives a 403 (Access Denied) error message.

The administrator is using an IAM role that has the following IAM policy attached:



What is the cause of the unsuccessful request?

  • A. The EC2 instance has a resource-based policy with a Deny statement.
  • B. The principal has not been specified in the policy statement.
  • C. The "Action" field does not grant the actions that are required to terminate the EC2 instance.
  • D. The request to terminate the EC2 instance does not originate from the CIDR blocks 192.0.2.0/24 or 203.0.113.0/24.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by nosense at May 19, 2023, 3:29 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
TariqKipkemei
Highly Voted 1 year, 8 months ago
Selected Answer: D
the command is coming from a source IP which is not in the allowed range.
upvoted 5 times
...
chasingsummer
Most Recent 1 year, 2 months ago
Selected Answer: D
I ran a Policy Simulator and indeed, D is right answer. Here is the JSON policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:TerminateInstances", "Resource": "*" }, { "Effect": "Deny", "Action": "ec2:TerminateInstances", "Condition": { "NotIpAddress": { "aws:SourceIp" : [ "192.0.2.0/24", "203.0.113.0/24" ] } }, "Resource": "*" } ] }
upvoted 2 times
...
chasingsummer
1 year, 2 months ago
The condition operator is "NotIpAddress" so I am not sure about D as right answer.
upvoted 2 times
awsgeek75
1 year, 2 months ago
Deny when IP address is not in (NotIPAddress). AWS has a weird way of stating Deny and it almost sound like double negative meaning positive. But read this doc for more clarity: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html It has the exact same example! Good luck!
upvoted 2 times
LeonSauveterre
3 months, 3 weeks ago
This is exactly what I need, thanks!
upvoted 1 times
...
...
...
awsgeek75
1 year, 2 months ago
Selected Answer: D
If you want to read more about this, see how it works: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html Same policy as in this question with almost same use case. D is correct answer.
upvoted 4 times
...
elmogy
1 year, 10 months ago
Selected Answer: D
" aws:SourceIP " indicates the IP address that is trying to perform the action.
upvoted 2 times
...
nosense
1 year, 10 months ago
Selected Answer: D
d for sure
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago