The following IAM policy is attached to an IAM group. This is the only policy applied to the group. What are the effective IAM permissions of this policy for group members?
Choose an answer
Tap an option to check your answer.
Correct answer: Group members are allowed the ec2:StopInstances and ec2:TerminateInstances permissions for the us-east-1 Region only when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon EC2 action within the us-east-1 Region..
Why this is the answer
The correct answer reflects the policy's structure. The first statement explicitly allows all EC2 actions (ec2:) in us-east-1, except for ec2:StopInstances and ec2:TerminateInstances. This means all other EC2 actions are permitted without MFA. The second statement then specifically grants ec2:StopInstances and ec2:TerminateInstances permissions, but only for us-east-1 and only when MFA is present ("Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}). Therefore, for us-east-1, stopping and terminating instances requires MFA, while all other EC2 actions do not. The policy does not grant any permissions outside of us-east-1.