DOP-C02 · Question #209
DOP-C02 Question #209: Real Exam Question with Answer & Explanation
The correct answer is B: Change "Resource": "*"to "Resource": "arn:aws:ec2:*:*:instance/*". Least Privilege IAM Policy Explanation Applying the principle of least privilege requires three specific changes to this overly permissive policy. Option E is essential because changing ec2: to ec2:StopInstances restricts the Lambda function to only the single action it actually
Question
A company is reviewing its IAM policies. One policy written by the DevOps engineer has been flagged as too permissive. The policy is used by an AWS Lambda function that issues a stop command to Amazon EC2 instances tagged with Environment: NonProduction over the weekend. The current policy is: What changes should the engineer make to achieve a policy of least permission? (Choose three.)
Options
- AAdd the following conditional expression:
- BChange "Resource": "*"to "Resource": "arn:aws:ec2:*:*:instance/*"
- CAdd the following conditional expression:
- DAdd the following conditional expression:
- EChange "Action": "ec2:*"to "Action": "ec2:StopInstances"
- FAdd the following conditional expression:
Explanation
Least Privilege IAM Policy Explanation
Applying the principle of least privilege requires three specific changes to this overly permissive policy. Option E is essential because changing ec2:* to ec2:StopInstances restricts the Lambda function to only the single action it actually needs, eliminating all other EC2 permissions. Option B narrows the resource scope from the wildcard * to arn:aws:ec2:*:*:instance/*, ensuring the policy targets only EC2 instances rather than all AWS resources. Option D adds the correct conditional expression restricting actions to instances tagged with Environment: NonProduction, enforcing the tag-based targeting that the function is designed for.
The remaining distractor options (A, C, F) represent incorrect or incomplete conditional expressions - they may contain syntax errors, wrong condition keys, or improper tag value references that would either break the policy or fail to properly restrict scope. Without seeing the exact conditional syntax shown in the exam, the key principle is that only one specific condition correctly matches the ResourceTag/Environment: NonProduction requirement.
🧠 Memory Tip: Think of least privilege as the "ARC" rule - Action (only what's needed), Resource (only what's targeted), Condition (only when appropriate). This question tests all three dimensions simultaneously, making B, D, and E the natural "ARC" answer.
Topics
Community Discussion
No community discussion yet for this question.