Bird
0
0

You want to create a policy that allows ec2:StopInstances only during business hours (9 AM to 5 PM UTC) and denies it otherwise. Which policy logic correctly enforces this?

hard📝 Best Practice Q15 of 15
AWS - Identity and Access Management
You want to create a policy that allows ec2:StopInstances only during business hours (9 AM to 5 PM UTC) and denies it otherwise. Which policy logic correctly enforces this?
AOnly use Deny with condition outside 9-17 UTC, no Allow needed.
BAllow <code>ec2:StopInstances</code> with condition <code>"DateGreaterThan": {"aws:CurrentTime": "09:00:00Z"}</code>, no Deny needed.
CAllow <code>ec2:StopInstances</code> unconditionally, and add a Deny with condition outside 9-17 UTC.
DAllow <code>ec2:StopInstances</code> with condition for 9-17 UTC, and Deny unconditionally.
Step-by-Step Solution
Solution:

  1. Step 1: Understand Deny override with time condition

    Unconditional Allow permits ec2:StopInstances, but explicit Deny applies outside 9-17 UTC overriding the Allow.

  2. Step 2: Verify business hours enforcement

    During 9 AM-5 PM UTC: Deny condition false -> action allowed. Outside: Deny true -> denied.

  3. Final Answer:

    Allow unconditionally, and add a Deny with condition outside 9-17 UTC. -> Option C

  4. Quick Check:

    Allow + Deny conditions enforce time limits [OK]
Quick Trick: Unconditional Allow + conditional Deny outside business hours [OK]
Common Mistakes:
MISTAKES
  • Relying only on Allow conditions without Deny
  • Using unconditional Deny that blocks all
  • Missing time range in conditions

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More AWS Quizzes
Cloud Computing Fundamentals - Edge locations and CloudFront overview - Quiz 11easy Cloud Computing Fundamentals - AWS free tier overview - Quiz 11easy EC2 Fundamentals - Instance types and families - Quiz 8hard Identity and Access Management - IAM best practices - Quiz 2easy S3 Fundamentals - S3 storage classes (Standard, IA, Glacier) - Quiz 8hard Security Groups and Network ACLs - Inbound and outbound rules - Quiz 3easy Security Groups and Network ACLs - Default security group behavior - Quiz 14medium Security Groups and Network ACLs - Security groups vs NACLs decision - Quiz 13medium VPC Fundamentals - Public vs private subnets - Quiz 3easy VPC Fundamentals - Why VPC provides network isolation - Quiz 15hard