SAA-C03 Exam - Question 96

What the policy means: 1. Allow termination of any instance if user’s source IP address is 100.100.254. 2. Deny termination of instances that are not in the us-east-1 Combining this two, you get: “Allow instance termination in the us-east-1 region if the user’s source IP address is 10.100.100.254. Deny termination operation on other regions.”

C is correct. 0.0/24 , the following five IP addresses are reserved: 0.0: Network address. 0.1: Reserved by AWS for the VPC router. 0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. ... 0.3: Reserved by AWS for future use. 0.255: Network broadcast address.

if IP = 10.100.100.0/24 allow terminate EC2 Else Deny EC2 termination permission - with the condition "String NOT equal" to us-east-1 Answer C

Deny takes precedence over Allow. Thus the flow is as follows: IF region of the EC2 instance is not "us-east-1" -> Deny ELSE if request is coming from 10.100.100.0/24 -> Allow ELSE: implicit deny (what is not allowed is denied)

Clearly the answer is C. D is 'Deny' 'String NOT equal' == only allow us-east-1

Here is how I interpreted this first part: terminate instance is allowed for the given CIDR block second part: deny all ec2 actions when region is not us-east-1 so second part is like double negative which means allow for us-east-1 region You combine both (remember deny always take priority which is why this is written in double negative) and you get: [allow us-east-region1 to do any action on ec2] when [action is terminate instance and CIDR block is match] so C is the answer D is there to confuse you with the double negative

Deny all actions on the EC2 instances in the us-east1 region, but let anyone with source IP 10.100.100.254 be able to terminate the EC2 instances.

I went for C for obvious reasons Wondering though; this policy also allows to terminate EC2 instances in US-east-1 even if your source IP is not the 10.100.100.254, right? The idea is that since I do not deny this for the other source IP addresses, the Allow action is a obsolete?

D is not because of Deny & NOT Equals

ans D - This policy denies EC2 instance termination for users with the source IP address 10.100.100.254 in the us-east-1 Region.

The first statement is a subset of the second statement.

C because the explicit deny blocks other regions than us-east-1

The first statement allows users to terminate EC2 instances (ec2:TerminateInstances) from any IP address within the range 10.100.100.0/24. The second statement denies users the ability to perform any EC2 actions (ec2:*) in any region other than us-east-1. So, the correct interpretation is: D. Users cannot terminate an EC2 instance in the us-east-1 Region when the user's source IP is 10.100.100.254

D. Users cannot terminate an EC2 instance in the us-east-1 region when the user's source IP is 10.100.100.254. This option corresponds to the second statement in the policy, where all EC2 actions in the "us-east-1" region are denied permission when the user's source IP is "10.100.100.254".

C for sure

policy allow us-east-1 and with the specific IP address in the range

The first rule allows users with the specified IP CIDR to terminate instances, and the second rule specifies that the region must be us-east-1 for the termination process to be allowed, hence C is the correct answer.