Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 96 discussion

What the policy means: 1. Allow termination of any instance if user’s source IP address is 100.100.254. 2. Deny termination of instances that are not in the us-east-1 Combining this two, you get: “Allow instance termination in the us-east-1 region if the user’s source IP address is 10.100.100.254. Deny termination operation on other regions.”

C is correct. 0.0/24 , the following five IP addresses are reserved: 0.0: Network address. 0.1: Reserved by AWS for the VPC router. 0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. ... 0.3: Reserved by AWS for future use. 0.255: Network broadcast address.

Ans C - must be in us-east-1 region and CIDR address is in allowable range (/24)

The first rule allows users with the specified IP CIDR to terminate instances, and the second rule specifies that the region must be us-east-1 for the termination process to be allowed, hence C is the correct answer.

policy allow us-east-1 and with the specific IP address in the range

C for sure

D. Users cannot terminate an EC2 instance in the us-east-1 region when the user's source IP is 10.100.100.254. This option corresponds to the second statement in the policy, where all EC2 actions in the "us-east-1" region are denied permission when the user's source IP is "10.100.100.254".

Clearly the answer is C. D is 'Deny' 'String NOT equal' == only allow us-east-1

Here is how I interpreted this first part: terminate instance is allowed for the given CIDR block second part: deny all ec2 actions when region is not us-east-1 so second part is like double negative which means allow for us-east-1 region You combine both (remember deny always take priority which is why this is written in double negative) and you get: [allow us-east-region1 to do any action on ec2] when [action is terminate instance and CIDR block is match] so C is the answer D is there to confuse you with the double negative

Deny takes precedence over Allow. Thus the flow is as follows: IF region of the EC2 instance is not "us-east-1" -> Deny ELSE if request is coming from 10.100.100.0/24 -> Allow ELSE: implicit deny (what is not allowed is denied)

if IP = 10.100.100.0/24 allow terminate EC2 Else Deny EC2 termination permission - with the condition "String NOT equal" to us-east-1 Answer C

The first statement allows users to terminate EC2 instances (ec2:TerminateInstances) from any IP address within the range 10.100.100.0/24. The second statement denies users the ability to perform any EC2 actions (ec2:*) in any region other than us-east-1. So, the correct interpretation is: D. Users cannot terminate an EC2 instance in the us-east-1 Region when the user's source IP is 10.100.100.254

C because the explicit deny blocks other regions than us-east-1

The first statement is a subset of the second statement.

ans D - This policy denies EC2 instance termination for users with the source IP address 10.100.100.254 in the us-east-1 Region.

D is not because of Deny & NOT Equals

I went for C for obvious reasons Wondering though; this policy also allows to terminate EC2 instances in US-east-1 even if your source IP is not the 10.100.100.254, right? The idea is that since I do not deny this for the other source IP addresses, the Allow action is a obsolete?