A company runs internal systems on Amazon EC2. During a deployment, an administrator attempts to terminate an EC2 instance by using the AWS CLI but receives a 403 (Access Denied). The administrator is using an IAM role that has the following IAM policy attached: What causes the failed request?
Choose an answer
Tap an option to check your answer.
Correct answer: The request does not originate from the CIDR blocks 192.0.2.0/24 or 203.0.113.0/24..
Why this is the answer
The provided IAM policy includes a Condition that restricts access based on the source IP address. Specifically, the aws:SourceIp condition dictates that the ec2:TerminateInstances action is only allowed if the request originates from either 192.0.2.0/24 or 203.0.113.0/24. Since the administrator received an "Access Denied" error, it implies their request did not originate from one of these allowed CIDR blocks, thus failing the condition and denying the action. Incorrect options: EC2 instances do not have resource-based policies that would deny termination. Instance profiles are for granting permissions to the instance, not for controlling access to the instance itself. The policy statement is an identity-based policy attached to an IAM role. It implicitly applies to the principal (the IAM role) to which it is attached, so not specifying a principal within the policy itself is standard for identity policies. The Action field explicitly grants ec2:TerminateInstances, which is the correct permission for terminating an EC2 instance.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed