ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 262 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 262
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A user has set the IAM policy where it denies all requests if a request is not from IP 10.10.10.1/32. The other policy says allow all requests between 5 PM to 7
PM.
What will happen when a user is requesting access from IP 55.109.10.12/32 at 6 PM?

  • A. It will deny access
  • B. It is not possible to set a policy based on the time or IP
  • C. IAM will throw an error for policy conflict
  • D. It will allow access
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
When a request is made, the AWS IAM policy decides whether a given request should be allowed or denied. The evaluation logic follows these rules:
By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.)
An explicit allow policy overrides this default. An explicit deny policy overrides any allows.
In this case since there are explicit deny and explicit allow statements. Thus, the request will be denied since deny overrides allow.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html
by NKnab at June 1, 2020, 6:17 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
hilft
2 years, 9 months ago
CLF level question. won't be in SAP
upvoted 1 times
...
hilft
2 years, 9 months ago
In plain english, block anyone that is not from 10.10.10.1/32 from 5 to 7. Someone is trying with 55.109.xxx.xxx/32 - > Block. The answer is A
upvoted 1 times
...
jj22222
3 years, 3 months ago
A looks right - it will deny the request
upvoted 2 times
...
Yecine11y
3 years, 3 months ago
there is no conflict with time Source Ip is wrong, user will be able to access but IAM will throw an error, example: An error occurred describing your selected AMI You are not authorized to perform this operation.
upvoted 1 times
...
cldy
3 years, 4 months ago
A. It will deny access
upvoted 1 times
...
ExtHo
3 years, 6 months ago
CIDR 10.10.10.1/32 First IP 10.10.10.1 Last IP 10.10.10.1 CIDR 55.109.10.12/32 First IP 55.109.10.12 Last IP 55.109.10.12 Since we have different IPs don't confused with time simple follow standard rule By default, all requests are denied
upvoted 1 times
...
newme
3 years, 6 months ago
"The other policy says allow all requests between 5 PM to 7 PM"] How to do this? https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Date says it has to specify date and "Wildcards are not permitted for date condition operators"
upvoted 2 times
...
DuyPhan
3 years, 6 months ago
A is correct, explicitly deny always take higher priority
upvoted 1 times
...
NKnab
3 years, 7 months ago
D is correct. request is coming from a different ip address than the one which is denied
upvoted 1 times
Oleksandr
3 years, 7 months ago
right. But the question says that all requests coming NOT from 10.10..../32 is denied.
upvoted 1 times
...
meenu2225
3 years, 6 months ago
A is correct, Please check the question again, it says denies all the requests if the request is NOT from 10.10.10.1/32
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago