Bird
0
0

You want to create a secure setup where users in the Developers group can only start and stop EC2 instances, but not terminate them. Which IAM policy snippet attached to the group achieves this?

hard📝 Best Practice Q15 of 15
AWS - Identity and Access Management
You want to create a secure setup where users in the Developers group can only start and stop EC2 instances, but not terminate them. Which IAM policy snippet attached to the group achieves this?
A{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"], "Resource": "*" }] }
B{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }] }
C{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:TerminateInstances", "Resource": "*" }] }
D{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] }
Step-by-Step Solution
Solution:

  1. Step 1: Understand required permissions

    Users should only start and stop instances, so allow only those actions.

  2. Step 2: Evaluate policy options

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] } allows only StartInstances and StopInstances. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }] } allows all EC2 actions, including terminate. { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:TerminateInstances", "Resource": "*" }] } denies terminate but does not allow start/stop explicitly. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"], "Resource": "*" }] } allows terminate, which is not desired.

  3. Final Answer:

    Policy allowing only start and stop EC2 instances -> Option D

  4. Quick Check:

    Allow only start/stop, no terminate = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances"], "Resource": "*" }] } [OK]
Quick Trick: Allow only needed actions, avoid wildcard ec2:* [OK]
Common Mistakes:
MISTAKES
  • Using ec2:* allows unwanted terminate action
  • Only denying terminate without allowing start/stop
  • Including terminate in allowed actions

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More AWS Quizzes
AWS Account and Billing - Root user vs IAM user - Quiz 12easy AWS Account and Billing - Root user vs IAM user - Quiz 3easy AWS Account and Billing - Root user vs IAM user - Quiz 8hard Cloud Computing Fundamentals - Cloud deployment models (public, private, hybrid) - Quiz 14medium Cloud Computing Fundamentals - Cloud service models (IaaS, PaaS, SaaS) - Quiz 4medium EC2 Fundamentals - Instance metadata and user data - Quiz 12easy S3 Fundamentals - Buckets and objects concept - Quiz 10hard Security Groups and Network ACLs - Security groups vs NACLs decision - Quiz 4medium Security Groups and Network ACLs - Stateful behavior of security groups - Quiz 13medium VPC Fundamentals - NAT Gateway for private subnet internet - Quiz 2easy