[Solved] Given this policy snippet:{ "Effect": "Allow", "Action": "ec2:StartInstances", "Resource": "*", "Condition": { "IpAddress": {"aws:SourceIp": "203.0.113.... | AWS

AWS - Identity and Access Management

Given this policy snippet:

{
  "Effect": "Allow",
  "Action": "ec2:StartInstances",
  "Resource": "*",
  "Condition": {
    "IpAddress": {"aws:SourceIp": "203.0.113.0/24"}
  }
}

What happens if a user tries to start an EC2 instance from IP 198.51.100.10?

AThe action is denied because the IP does not match the condition.

BThe action is allowed because the Effect is Allow.

CThe action is allowed only if the user has another policy allowing it.

DThe action is denied only if there is an explicit Deny policy.

Step-by-Step Solution

Solution:

Step 1: Understand Condition effect
The policy allows the action only if the request comes from IPs in 203.0.113.0/24 range.
Step 2: Check IP address
The user's IP 198.51.100.10 is outside the allowed range, so the condition fails.
Final Answer:
The action is denied because the IP does not match the condition. -> Option A
Quick Check:
Condition IP mismatch = Deny [OK]

Quick Trick: Conditions restrict Allow; mismatch means Deny [OK]

Common Mistakes:

Ignoring condition and assuming Allow always works
Confusing explicit Deny with condition-based Deny
Assuming multiple policies needed to allow

Master "Identity and Access Management" in AWS

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

More AWS Quizzes

Given this policy snippet:

Step 1: Understand Condition effect

Step 2: Check IP address

Final Answer:

Quick Check:

Want More Practice?