[Solved] You have two policies attached to a user:Policy 1: Allows s3:GetObject on bucket my-bucket.Policy 2: Denies s3:GetObject on bucket my-bucket if the request is from outside office IP range.... | AWS

AWS - Identity and Access Management

You have two policies attached to a user:
Policy 1: Allows s3:GetObject on bucket my-bucket.
Policy 2: Denies s3:GetObject on bucket my-bucket if the request is from outside office IP range.

The user tries to get an object from home IP. What is the result?

AThe request is allowed because Policy 1 allows it.

BThe request is allowed only if the user is in the admin group.

CThe request is denied only if there is a service outage.

DThe request is denied because Policy 2 explicitly denies it from outside IPs.

Step-by-Step Solution

Solution:

Step 1: Identify explicit Deny with condition
Policy 2 denies the action if the IP is outside the office range, which applies here.
Step 2: Apply evaluation logic
Explicit Deny overrides any Allow, so the request is denied.
Final Answer:
The request is denied because Policy 2 explicitly denies it from outside IPs. -> Option D
Quick Check:
Explicit Deny with condition blocks request [OK]

Quick Trick: Explicit Deny with condition beats Allow always [OK]

Common Mistakes:

Ignoring condition in Deny policy
Assuming Allow always wins
Thinking user group affects Deny priority

Master "Identity and Access Management" in AWS

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

More AWS Quizzes

You have two policies attached to a user:

Step 1: Identify explicit Deny with condition

Step 2: Apply evaluation logic

Final Answer:

Quick Check:

Want More Practice?