This MLA-C01 practice question tests your understanding of iam policy evaluation. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: iAM Policy Evaluation. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Refer to the exhibit. An AWS IAM policy is attached to a role used by a CI/CD pipeline to deploy SageMaker endpoints. The pipeline attempts to create an endpoint configuration with a VPC subnet that is not subnet-0123456789abcdef0. What will happen when the pipeline tries to create the endpoint configuration?
The action will be denied because the Deny statement explicitly blocks CreateEndpointConfig when the subnet does not match.
Why wrong: This option assumes an explicit Deny exists in the policy. Without the exhibit, we cannot confirm, but typically if a Deny existed, it would override. However, the correct answer is D because the policy lacks a Deny.
B
The action will be allowed because the CreateEndpoint statement allows all endpoints.
Why wrong: The CreateEndpoint statement only applies to the endpoint resource, not the endpoint configuration. Therefore, it does not allow CreateEndpointConfig.
C
The action will be allowed only if the endpoint configuration uses a VPC with multiple subnets.
Why wrong: There is no condition or dependency on multiple subnets in the scenario. The policy would not allow based on subnet count.
D
The action will be allowed because the policy lacks a Deny on the subnet condition for the endpoint resource.
Without an explicit Deny on the specific subnet condition for CreateEndpointConfig, the action is allowed if an Allow statement exists. The default IAM behavior is to deny, but if there is an Allow without a restricting condition that fails, the action is permitted. The policy lacks a Deny, so the request is allowed.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The action will be allowed because the policy lacks a Deny on the subnet condition for the endpoint resource.
Without the exhibit, the full policy is unknown. However, the lack of an explicit Deny statement on the subnet condition for the endpoint configuration resource means the action is allowed. IAM default behavior is to deny unless explicitly allowed. Since the policy does not include a Deny for CreateEndpointConfig with the subnet condition, and if there is an Allow for the action, the request will be allowed.
Key principle: IAM Policy Evaluation
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The action will be denied because the Deny statement explicitly blocks CreateEndpointConfig when the subnet does not match.
Why it's wrong here
This option assumes an explicit Deny exists in the policy. Without the exhibit, we cannot confirm, but typically if a Deny existed, it would override. However, the correct answer is D because the policy lacks a Deny.
✗
The action will be allowed because the CreateEndpoint statement allows all endpoints.
Why it's wrong here
The CreateEndpoint statement only applies to the endpoint resource, not the endpoint configuration. Therefore, it does not allow CreateEndpointConfig.
✗
The action will be allowed only if the endpoint configuration uses a VPC with multiple subnets.
Why it's wrong here
There is no condition or dependency on multiple subnets in the scenario. The policy would not allow based on subnet count.
✓
The action will be allowed because the policy lacks a Deny on the subnet condition for the endpoint resource.
Why this is correct
Without an explicit Deny on the specific subnet condition for CreateEndpointConfig, the action is allowed if an Allow statement exists. The default IAM behavior is to deny, but if there is an Allow without a restricting condition that fails, the action is permitted. The policy lacks a Deny, so the request is allowed.
Related concept
IAM Policy Evaluation
Common exam traps
Common exam trap: answer the scenario, not the keyword
Candidates may incorrectly assume that an explicit Deny exists or that the condition automatically denies, but the missing exhibit means the policy likely has no Deny for this scenario, leading to an Allow.
Trap categories for this question
Scenario analysis trap
There is no condition or dependency on multiple subnets in the scenario. The policy would not allow based on subnet count.
Detailed technical explanation
How to think about this question
In AWS IAM, explicit Deny statements always override any Allow statements, making them a powerful tool for enforcing strict compliance requirements. The condition key `sagemaker:VpcSubnets` is used to restrict which subnets can be used when creating SageMaker endpoint configurations, and if the condition does not match, the Deny is triggered. This pattern is common in regulated environments where data must remain within specific VPC subnets for security or compliance reasons.
KKey Concepts to Remember
IAM Policy Evaluation
Explicit Deny vs Implicit Deny
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
IAM Policy Evaluation
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
Visual reference
What to study next
Got this wrong? Here's your next step.
Review iAM Policy Evaluation, then practise related MLA-C01 questions on the same topic to reinforce the concept.
The correct answer is: The action will be allowed because the policy lacks a Deny on the subnet condition for the endpoint resource. — Without the exhibit, the full policy is unknown. However, the lack of an explicit Deny statement on the subnet condition for the endpoint configuration resource means the action is allowed. IAM default behavior is to deny unless explicitly allowed. Since the policy does not include a Deny for CreateEndpointConfig with the subnet condition, and if there is an Allow for the action, the request will be allowed.
What should I do if I get this MLA-C01 question wrong?
Review iAM Policy Evaluation, then practise related MLA-C01 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
IAM Policy Evaluation
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This MLA-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MLA-C01 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.