Q33 — AWS SAA-C03 Ch.5

Question 33 of 65 | ← Chapter 5

Q333. The following IAM policy is attached to an IAM group. This iS the only policy applied to the group . What are the effective IAM permissions of this policy for group members?

Correct Answer: D. Group members are allowed the ec2: StopInstances and ec2:TerminateInstances permissions for the us- east-1 Region only when logged in with multi-factor authentication (MFA) Group members are permitted any other Amazon EC2 action within the us-east-1 Region.

Explanation

The policy allows the ec2:StopInstances and ec2:TerminateInstances actions in the us-east-1 Region only when the user is authenticated with MFA. For all other Amazon EC2 actions in the us-east-1 Region, group members are permitted without any MFA requirements. There are no statements after the Allow permission, therefore there are no additional restrictions or permissions applied. By default, AWS Identity and Access Management (IAM) users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permissions for the specific resources and API actions they'll need to use, and then attach those policies to the IAM users or groups that require those permissions.