To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region. What policy should the Engineer implement? A. B. C. D.
Answer is C.
B is Wrong. It's about EC2 instances. Whereas Questions is about ALL AWS Services.
A is Wrong. It doesn't Explicitly DENY other Regions.
D is Wrong. Because the NotAction element in a statement with "Effect": "Deny" to deny access to all of the listed resources except for the actions specified in the NotAction element.
A is the correct answer according to the following link: https://aws.amazon.com/blogs/security/easier-way-to-control-access-to-aws-regions-using-iam-policies/
A is the correct. one. You need and explicit allow to permit the action. C denies all the other regions explicitly but it does not allow NV either -> https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
A is correct, it will allow only in us-east-1 region.
C as it is presented, will not allow anything, because it is still missing an Allow. Create a Role with that policy, see what happens.
No, its C. By default, you can use any AWS region. If you want to restrict all access to a certain region, you must explicitly deny access in all regions BUT the one you want to allow.
With A, i could still be able deploy in other regions
The question does not ask to give access to any server but to " restrict the use of AWS services to the us-east-1 Region". A allows only us-east-1 Region, but it is possible to create another policy that will allow access to a resource in a different Region. Hence, A is not explicitly restrictive. C is.
Correct Ans: C
This is an example of SCP which acts as Guardrails and should be implemented as explicit "Deny". And as it is talking about all aws resources, out of C and D, the answer should C as it is talking about AWS and not only ec2.
I'd go with C: explicit deny trumps everything else.
Imagine you have explicit allow, allowing only one region, if you create more explicit allows, you can get access to more regions. But with an explicit deny, it doesnt matter how many explicit allows you create, new regions will be denied due to the explicit deny you created.
Between A and C , I still believe the A is correct.
Based on the below process, "no explicit allow" and "explicit deny" will lead to DENY action at the end.
https://docs.aws.amazon.com/IAM/latest/UserGuide/images/PolicyEvaluationHorizontal111621.png
In the Answer C , it will deny all the request when the destination is not "us-east-1", but not means it will allow the request go through if it go to "us-east-1".
Based on FW ACL settings , if set acl as:
# deny a.a.a.a
# deny b.b.b.b
# deny c.c.c.c
if d.d.d.d come, it will also deny the d.d.d.d, because no allow for d.d.d.d be defined.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Samoanhulk
Highly Voted 3 years, 7 months agoscuzzy2010
3 years, 7 months agotobedeleted
Highly Voted 2 years, 6 months agoRaphaello
Most Recent 1 year, 3 months agoRaphaello
1 year, 5 months agochen0305_099
1 year, 8 months agomamila
1 year, 9 months agoITGURU51
2 years agosudipta0007
2 years agoShely
2 years agomatrpro
2 years agosp951
2 years, 2 months agoep007
2 years, 3 months agoawsmonkey
2 years, 5 months agoluis12345
2 years, 4 months agoawsmonkey
2 years, 4 months agoTofu13
1 year, 11 months agoTofu13
1 year, 11 months agokwch791
2 years, 6 months agoknc
2 years, 7 months agoRoot_Access
2 years, 8 months agocloud_collector
2 years, 9 months agocloud_collector
2 years, 9 months ago