An IAM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the IAM access key and secret access key, which allow full administrative access.
Given that multiple modes of IAM access are present for this EC2 instance, which of the following is correct?
An explicit deny in IAM policies takes precedence over any allowed permissions. Therefore, if an IAM role attached to the EC2 instance explicitly denies all Amazon S3 API actions, the EC2 instance will not be able to perform any S3 actions, regardless of the credentials specified in the instance's credentials file that grant full administrative access.
D Explicit deny policies in IAM take precedence over any allow policies. If the IAM role attached to the EC2 instance explicitly denies access to S3, this deny will apply regardless of any other credentials or policies that might grant access. Even though the EC2 instance's credentials file specifies keys with full administrative access, the explicit deny in the IAM role will override these permissions for S3 actions.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html