Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 494 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 494
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company uses Amazon EC2 instances to host its internal systems. As part of a deployment operation, an administrator tries to use the AWS CLI to terminate an EC2 instance. However, the administrator receives a 403 (Access Denied) error message.

The administrator is using an IAM role that has the following IAM policy attached:



What is the cause of the unsuccessful request?

  • A. The EC2 instance has a resource-based policy with a Deny statement.
  • B. The principal has not been specified in the policy statement.
  • C. The "Action" field does not grant the actions that are required to terminate the EC2 instance.
  • D. The request to terminate the EC2 instance does not originate from the CIDR blocks 192.0.2.0/24 or 203.0.113.0/24.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by nosense at May 19, 2023, 3:29 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
chasingsummer
10 months, 2 weeks ago
Selected Answer: D
I ran a Policy Simulator and indeed, D is right answer. Here is the JSON policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:TerminateInstances", "Resource": "*" }, { "Effect": "Deny", "Action": "ec2:TerminateInstances", "Condition": { "NotIpAddress": { "aws:SourceIp" : [ "192.0.2.0/24", "203.0.113.0/24" ] } }, "Resource": "*" } ] }
upvoted 1 times
...
chasingsummer
10 months, 2 weeks ago
The condition operator is "NotIpAddress" so I am not sure about D as right answer.
upvoted 2 times
awsgeek75
10 months ago
Deny when IP address is not in (NotIPAddress). AWS has a weird way of stating Deny and it almost sound like double negative meaning positive. But read this doc for more clarity: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html It has the exact same example! Good luck!
upvoted 1 times
...
...
awsgeek75
10 months, 2 weeks ago
Selected Answer: D
If you want to read more about this, see how it works: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html Same policy as in this question with almost same use case. D is correct answer.
upvoted 3 times
...
TariqKipkemei
1 year, 4 months ago
Selected Answer: D
the command is coming from a source IP which is not in the allowed range.
upvoted 4 times
...
elmogy
1 year, 5 months ago
Selected Answer: D
" aws:SourceIP " indicates the IP address that is trying to perform the action.
upvoted 1 times
...
nosense
1 year, 6 months ago
Selected Answer: D
d for sure
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel