Amazon Web Services SAA-C03 Exam With Confidence Using Practice Dumps

The IAM policy includes two statements:

1️⃣ Allow ec2:TerminateInstances on all resources

2️⃣ Deny ec2:TerminateInstances if the request does NOT come from:

192.0.2.0/24

203.0.113.0/24

AWS IAM policy evaluation rules state:

Explicit Deny always overrides Allow.

A request must meet all applicable conditions in the policy to be granted.

aws:SourceIp condition applies when IAM actions are invoked via the public AWS APIs.

In this scenario, the administrator is not originating the request from one of the allowed CIDR blocks, so the Deny condition is triggered, overriding the Allow statement.

Therefore, the operation is blocked with:

403 AccessDenied: explicit deny

This matches the behavior described in the AWS IAM Policy Evaluation Logic used in the Security Pillar of the Well-Architected Framework:

Explicit Deny > Allow > Default Deny

IP-based Conditions restrict API calls originating outside approved network ranges

Options A/B/C do not accurately reflect this explicit Deny condition behavior.

AWS Lake Formation provides centralized data access control, including fine-grained (column-level) permissions for data stored in S3 and accessed through services like Amazon Athena.

Using a Lake Formation blueprint to ingest data from Aurora MySQL into the data lake keeps ingestion and governance integrated. When QuickSight uses Athena as the data source, Athena enforces Lake Formation’s column-level permissions automatically. This allows the marketing team to see only the authorized subset of columns without custom access-control logic.

Options A, B, and C rely on manually limiting columns at ingestion time or using IAM or S3 bucket policies, which do not provide true column-level authorization for SQL queries and require significantly more manual work and maintenance.

The key requirements are shared file access, NFS protocol compatibility, and no application changes. Amazon Elastic File System (EFS) is a fully managed, scalable file system that natively supports the NFS protocol, making it an ideal drop-in replacement for on-premises shared file systems used by Linux applications.

Option C allows the existing web servers to mount the EFS file system using standard NFS mount commands, preserving application behavior and avoiding code changes. EFS is designed to be accessed concurrently by multiple EC2 instances across Availability Zones, providing high availability and elasticity without manual capacity management. This aligns well with typical web server architectures that rely on shared content or assets.

Option A and B use Amazon S3, which is an object storage service and does not support NFS semantics. Migrating to S3 would require application changes to use object-based APIs instead of file system operations. Option D uses Amazon FSx for Windows File Server, which supports SMB, not NFS, and is intended for Windows-based workloads.

Therefore, C is the correct solution because Amazon EFS provides NFS compatibility, shared access, high availability, and minimal operational overhead while requiring no changes to the existing Linux-based web server applications.