The correct modification is to add a Condition block with `"Condition": {"StringEquals": {"ec2:ResourceTag/Environment": "Production"}}` to the existing IAM policy. This works because the `ec2:ResourceTag` condition key enables resource-level authorization, allowing you to restrict EC2 actions like start and stop based on tags already attached to the instance, rather than tags passed in the request. On the AWS Certified DevOps Engineer Professional DOP-C02 exam, this tests your understanding of IAM policy conditions for resource-based control, a common scenario for DevOps engineers managing multi-environment infrastructure. A frequent trap is confusing `ec2:ResourceTag` (which checks existing tags on the resource) with `aws:RequestTag` (which checks tags supplied during the action). Remember the memory tip: "ResourceTag reads the tag on the resource; RequestTag reads the tag in the request."
DOP-C02 Configuration Management and IaC Practice Question
This DOP-C02 practice question tests your understanding of configuration management and iac. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A DevOps engineer needs to create an IAM policy that allows a user to start and stop EC2 instances, but only for instances that have a specific tag 'Environment=Production'. The current policy allows all actions on all instances. Which modification must be made to enforce the tag-based restriction?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Add a Condition block: "Condition": {"StringEquals": {"ec2:ResourceTag/Environment": "Production"}}
Option C is correct because the `ec2:ResourceTag` condition key allows you to restrict actions based on the tags already attached to the EC2 instance. By using `StringEquals` with `ec2:ResourceTag/Environment` set to `Production`, the policy will only permit the `ec2:StartInstances` and `ec2:StopInstances` actions on instances that currently have that tag. This is the standard AWS mechanism for tag-based resource-level authorization in IAM policies.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
Add a Condition block: "Condition": {"StringEquals": {"aws:PrincipalTag/Environment": "Production"}}
Why it's wrong here
aws:PrincipalTag is for tags on the IAM user, not on the instance.
✗
Change the Action to "ec2:Describe*" and add a NotAction element.
Why it's wrong here
NotAction is not appropriate; it would deny unintended actions.
✓
Add a Condition block: "Condition": {"StringEquals": {"ec2:ResourceTag/Environment": "Production"}}
Why this is correct
This condition restricts the allowed actions to instances with the specified tag.
Related concept
Read the scenario before looking for a memorised answer.
✗
Add a Condition block: "Condition": {"StringEquals": {"aws:RequestTag/Environment": "Production"}}
Why it's wrong here
aws:RequestTag is for tags on the API request, not on the resource.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is confusing `ec2:ResourceTag` (tag on the resource) with `aws:RequestTag` (tag in the API request) or `aws:PrincipalTag` (tag on the user), leading candidates to pick a condition key that does not evaluate the instance's existing tags.
Detailed technical explanation
How to think about this question
Under the hood, IAM condition keys like `ec2:ResourceTag` are evaluated against the resource's current tag set at the time of the API call, which is critical for dynamic environments where tags may change. A subtle behavior is that `ec2:ResourceTag` only works with actions that support resource-level permissions (e.g., `ec2:StartInstances` and `ec2:StopInstances` do, but `ec2:DescribeInstances` does not). In a real-world scenario, this policy is often combined with a `Deny` effect for non-compliant instances to prevent accidental starts/stops, and you must ensure the IAM user does not have `ec2:CreateTags` permission to avoid tag manipulation bypassing the restriction.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Configuration Management and IaC — This question tests Configuration Management and IaC — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Add a Condition block: "Condition": {"StringEquals": {"ec2:ResourceTag/Environment": "Production"}} — Option C is correct because the `ec2:ResourceTag` condition key allows you to restrict actions based on the tags already attached to the EC2 instance. By using `StringEquals` with `ec2:ResourceTag/Environment` set to `Production`, the policy will only permit the `ec2:StartInstances` and `ec2:StopInstances` actions on instances that currently have that tag. This is the standard AWS mechanism for tag-based resource-level authorization in IAM policies.
What should I do if I get this DOP-C02 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This DOP-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DOP-C02 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.