DVA-C02 Question #399: Real Exam Question with Answer & Explanation

Question

An IAM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the IAM access key and secret access key, which allow full administrative access. Given that multiple modes of IAM access are present for this EC2 instance, which of the following is correct?

Options

• AThe EC2 instance will only be able to list the S3 buckets.
• BThe EC2 instance will only be able to list the contents of one S3 bucket at a time.
• CThe EC2 instance will be able to perform all actions on any S3 bucket.
• DThe EC2 instance will not be able to perform any S3 action on any S3 bucket.

Explanation

Option D is correct because AWS IAM policy evaluation follows a strict hierarchy: an explicit Deny always overrides any Allow, regardless of the source or privilege level of the Allow. Even though the credentials file grants full administrative access, the explicit Deny on all S3 actions attached via the IAM role takes absolute precedence - the EC2 instance is completely blocked from S3.

Options A and B are wrong because they imply partial S3 access (listing buckets or contents), but an explicit Deny doesn't partially restrict - it blocks the specified actions entirely, with no exceptions. Option C is wrong because it assumes the admin-level credentials "win" over the role's deny, which is never how AWS IAM works; no amount of Allow permissions can override an explicit Deny.

Memory tip: Use the phrase "Deny Dominates" - in AWS IAM, the evaluation order is: (1) default deny everything, (2) apply Allows, (3) apply explicit Denies. Step 3 always wins, making explicit Deny the final word in any access decision, no matter how powerful the competing Allow is.

No community discussion yet for this question.