Question #942
An IAM role attached to an Amazon EC2 instance explicitly denies access to all Amazon DynamoDB API actions. The EC2 instance's credentials file contains IAM access keys that grant full administrative access. Considering the various IAM access mechanisms available to the EC2 instance, which statement is accurate?
The EC2 instance will only be able to list DynamoDB tables.
The EC2 instance will only be able to query one DynamoDB table at a time.
The EC2 instance will be able to perform all actions on any DynamoDB table.
The EC2 instance will not be able to perform any DynamoDB action on any DynamoDB table.
Explanation
In AWS IAM, an explicit deny in any policy overrides all other permissions. Here, the IAM role attached to the EC2 instance explicitly denies all DynamoDB actions. Even though the EC2 instance has access keys granting full administrative access, the explicit deny in the role's policy takes precedence. This occurs because the IAM role's policies are evaluated first when the EC2 instance makes API calls. The access keys in the credentials file are not used if the role's policies are attached to the instance, as the role's temporary credentials are prioritized by default. Thus, the explicit deny blocks all DynamoDB actions regardless of other permissions.
Key Points:
1. IAM Policy Evaluation: Explicit denies always override allows.
2. Role Precedence: When an IAM role is attached to an EC2 instance, its policies are evaluated first.
3. Credentials Priority: Role-based credentials (via instance metadata) are used by default unless explicitly overridden, which the question does not specify.
4. Explicit Deny Impact: The role's deny policy applies to all DynamoDB actions, making option D correct.
Answer
The correct answer is: D