Bird
0
0

If a user has two policies attached: one explicitly allows ec2:StartInstances and another explicitly denies ec2:StartInstances, what is the final effect when the user tries to start an instance?

medium📝 Predict Output Q5 of 15
AWS - Identity and Access Management
If a user has two policies attached: one explicitly allows ec2:StartInstances and another explicitly denies ec2:StartInstances, what is the final effect when the user tries to start an instance?
AThe action is allowed
BThe action is allowed if the user is an administrator
CThe action is allowed only if the deny policy is disabled
DThe action is denied
Step-by-Step Solution
Solution:

  1. Step 1: Identify conflicting policies

    One policy allows, another denies the same action.

  2. Step 2: Apply IAM evaluation logic

    Explicit Deny overrides any Allow, so the action is denied.

  3. Final Answer:

    Action is denied due to explicit deny -> Option D

  4. Quick Check:

    Explicit Deny beats Allow [OK]
Quick Trick: Explicit Deny always overrides Allow in IAM evaluation [OK]
Common Mistakes:
MISTAKES
  • Assuming Allow overrides Deny
  • Thinking admin status changes deny effect
  • Ignoring deny policy presence

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More AWS Quizzes
AWS Account and Billing - Setting up billing alerts - Quiz 12easy AWS Account and Billing - Free tier usage monitoring - Quiz 1easy AWS Account and Billing - Resource tagging for cost tracking - Quiz 8hard Identity and Access Management - IAM best practices - Quiz 11easy Identity and Access Management - IAM roles concept - Quiz 13medium S3 Fundamentals - Why S3 matters for object storage - Quiz 3easy S3 Fundamentals - Buckets and objects concept - Quiz 6medium Security Groups and Network ACLs - Stateful behavior of security groups - Quiz 12easy Security Groups and Network ACLs - Stateless behavior of NACLs - Quiz 7medium VPC Fundamentals - CIDR blocks and IP addressing - Quiz 12easy