Examtopics

コメント(9)

• 正解だと思う選択肢: C

  I will vote A and C because both statements are right. However, the question allows only one choice. so I will go with C.

  👍 3

  nightmerv2024/03/19
• 正解だと思う選択肢: C

  A. Amazon RDS DescribeDBInstances action in the us-east-1 Region: Allowed. The policy grants describe access to all RDS resources (rds:Describe*). B. Amazon S3 PutObject operation in a bucket named testbucket: Not Allowed. There's no mention of S3 permissions in the policy, and there's a deny statement for s3:GetObject. PutObject likely isn't allowed either. C. Amazon EC2 DescribeInstances action in the us-east-1 Region: Allowed. The policy allows all EC2 actions (ec2:* ) in the us-east-1 region due to the condition. D. Amazon EC2 AttachNetworkInterface action in the eu-west-1 Region: Not Allowed. The policy allows EC2 actions only in the us-east-1 region (ec2:* with condition). Actions in any other region (eu-west-1 here) are not allowed due to the deny statement for ec2:* Therefore, the allowed actions for the IAM user are:

  A. Amazon RDS DescribeDBInstances action in the us-east-1 Region C. Amazon EC2 DescribeInstances action in the us-east-1 Region

  👍 3

  klayytech2024/03/22
• 正解だと思う選択肢: C

  C is the only possible answer for me

  NotAction explicitly matches everything except the specified list of actions. So there is EXPLICIT "Deny" for all actions EXCEPT "ec2:", "s3:GetObject" , which would deny "rds:Describe" because it is not in the list.

  According to AWS policy evaluation logic - "An explicit deny in any policy overrides any allows." - so Allow "rds:Describe*" would be overridden because of the Deny. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

  https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

  👍 3

  SysOps42024/06/30