Which of the following actions are allowed for the IAM user?

A company has attached the following policy to an IAM user:

Which of the following actions are allowed for the IAM user?

A. Amazon RDS DescribeDBInstances action in the us-east-1 Region

B. Amazon S3 Putobject operation in a bucket named testbucket

C. Amazon EC2 Describe Instances action in the us-east-1 Region

D. Amazon EC2 AttachNetworkinterf ace action in the eu-west-1 Region

View Answer

Answer: A

Explanation:

Based on the attached policy, the following actions are allowed for the IAM user:

Allow Amazon RDS DescribeDBInstances Action:

The policy allows rds:Describe* actions on all resources without any condition, so the user can describe RDS instances in any region.

Example action:

rds:DescribeDBInstances

Reference: Amazon RDS IAM Policies

Allow Amazon EC2 Actions in us-east-1 with Condition:

The policy allows ec2:* actions in the us-east-1 region based on the condition StringEquals for ec2:Region.

Example action:

ec2:DescribeInstances (only in us-east-1)

Reference: Amazon EC2 IAM Policies

Deny All Other EC2 Actions Globally:

The policy explicitly denies all actions that are not ec2:*, which means it blocks any other EC2 actions that don’t match the allow rule above.

Reference: IAM JSON Policy Elements: NotAction

Given these details, the only valid action among the options is:

A. Amazon RDS DescribeDBInstances action in the us-east-1 Region