Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 194 discussion

A,D,E principalType could be a condition key https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

B, D and E are correct: A: This allow all any lambda func to do the task, wont make any change B: This allow action only on EC2, so it is correct C: We need to allow action on Ec2 instances tagged with NonProdction only. Using this would grant permissions to other tags as well D: perfectly correct E: Only permit stop action, so it is correct F: irrelevant

BDE seems correct to me.

DEF - clearly

A, B, D The engineer should make the following changes to achieve a policy of least permission: A:Add a condition to ensure that the principal making the request is an AWS Lambda function. This ensures that only Lambda functions can execute this policy. B:Narrow down the resources by specifying the ARN of EC2 instances instead of allowing all resources. This ensures that the policy only affects EC2 instances. D:Add a condition to ensure that this policy only applies to EC2 instances tagged with ''Environment: NonProduction''. This ensures that production environments are not affected by this policy.

I'll go with BDE B - restrict resource from wildcard to only "arn:aws:ec2:*:*:instance/*" D - this condition limits to non Prod only E - limit actions to "ec2:StopInstances" and not all ec2 actions as for F, although YOU CAN allow access based on date/time. The typical format is: "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"} https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-dates.html

DEF. when using E, there is no need for B. F: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-dates.html

BDE are correct. Option F is irrelevant and can use Amazon EventBridge Rule to execute the Lambda

DEF E is more prefect answer rather than B. D. restricted the ec2 using env tag as "nonproduction" F. support scope of running time which mention in the question.

DEF Principal condition is usually for resource policies.

BDE for me

D we need non prod,E we need specific action,F we need dates restriction

BDE seems correct

Why is B the correct answer?

there is no point to restrict "Resource": into instances, when you restricting action to "ec2:StopInstances". Only EC2 instance have such action. So whats the point to restrict Resource.

B, D, and E.

Vote for BDE