Question 924 of 1,000
hardMultiple ChoiceObjective-mapped

MLA-C01 IAM Policy Evaluation Practice Question

This MLA-C01 practice question tests your understanding of iam policy evaluation. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: iAM Policy Evaluation. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sagemaker:CreateModel",
      "Resource": "arn:aws:sagemaker:us-east-1:123456789012:model/*"
    },
    {
      "Effect": "Deny",
      "Action": "sagemaker:CreateEndpointConfig",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "sagemaker:VpcSubnets": "subnet-0123456789abcdef0"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "sagemaker:CreateEndpoint",
      "Resource": "*"
    }
  ]
}

Refer to the exhibit. An AWS IAM policy is attached to a role used by a CI/CD pipeline to deploy SageMaker endpoints. The pipeline attempts to create an endpoint configuration with a VPC subnet that is not subnet-0123456789abcdef0. What will happen when the pipeline tries to create the endpoint configuration?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sagemaker:CreateModel",
      "Resource": "arn:aws:sagemaker:us-east-1:123456789012:model/*"
    },
    {
      "Effect": "Deny",
      "Action": "sagemaker:CreateEndpointConfig",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "sagemaker:VpcSubnets": "subnet-0123456789abcdef0"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "sagemaker:CreateEndpoint",
      "Resource": "*"
    }
  ]
}

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The action will be allowed because the policy lacks a Deny on the subnet condition for the endpoint resource.

Without the exhibit, the full policy is unknown. However, the lack of an explicit Deny statement on the subnet condition for the endpoint configuration resource means the action is allowed. IAM default behavior is to deny unless explicitly allowed. Since the policy does not include a Deny for CreateEndpointConfig with the subnet condition, and if there is an Allow for the action, the request will be allowed.

Key principle: IAM Policy Evaluation

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The action will be denied because the Deny statement explicitly blocks CreateEndpointConfig when the subnet does not match.

    Why it's wrong here

    This option assumes an explicit Deny exists in the policy. Without the exhibit, we cannot confirm, but typically if a Deny existed, it would override. However, the correct answer is D because the policy lacks a Deny.

  • The action will be allowed because the CreateEndpoint statement allows all endpoints.

    Why it's wrong here

    The CreateEndpoint statement only applies to the endpoint resource, not the endpoint configuration. Therefore, it does not allow CreateEndpointConfig.

  • The action will be allowed only if the endpoint configuration uses a VPC with multiple subnets.

    Why it's wrong here

    There is no condition or dependency on multiple subnets in the scenario. The policy would not allow based on subnet count.

  • The action will be allowed because the policy lacks a Deny on the subnet condition for the endpoint resource.

    Why this is correct

    Without an explicit Deny on the specific subnet condition for CreateEndpointConfig, the action is allowed if an Allow statement exists. The default IAM behavior is to deny, but if there is an Allow without a restricting condition that fails, the action is permitted. The policy lacks a Deny, so the request is allowed.

    Related concept

    IAM Policy Evaluation

Common exam traps

Common exam trap: answer the scenario, not the keyword

Candidates may incorrectly assume that an explicit Deny exists or that the condition automatically denies, but the missing exhibit means the policy likely has no Deny for this scenario, leading to an Allow.

Trap categories for this question

  • Scenario analysis trap

    There is no condition or dependency on multiple subnets in the scenario. The policy would not allow based on subnet count.

Detailed technical explanation

How to think about this question

In AWS IAM, explicit Deny statements always override any Allow statements, making them a powerful tool for enforcing strict compliance requirements. The condition key `sagemaker:VpcSubnets` is used to restrict which subnets can be used when creating SageMaker endpoint configurations, and if the condition does not match, the Deny is triggered. This pattern is common in regulated environments where data must remain within specific VPC subnets for security or compliance reasons.

KKey Concepts to Remember

  • IAM Policy Evaluation
  • Explicit Deny vs Implicit Deny

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

IAM Policy Evaluation

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

Visual reference

192.168.1.0 /24 256 addresses (254 usable) 192.168.1.0 /25 Subnet A 128 addr (126 usable) 192.168.1.128 /25 Subnet B 128 addr (126 usable) Borrowing 1 bit from host portion creates 2 subnets (/25)

Related practice questions

Related MLA-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free MLA-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this MLA-C01 question test?

IAM Policy Evaluation

What is the correct answer to this question?

The correct answer is: The action will be allowed because the policy lacks a Deny on the subnet condition for the endpoint resource. — Without the exhibit, the full policy is unknown. However, the lack of an explicit Deny statement on the subnet condition for the endpoint configuration resource means the action is allowed. IAM default behavior is to deny unless explicitly allowed. Since the policy does not include a Deny for CreateEndpointConfig with the subnet condition, and if there is an Allow for the action, the request will be allowed.

What should I do if I get this MLA-C01 question wrong?

Review iAM Policy Evaluation, then practise related MLA-C01 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

IAM Policy Evaluation

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More MLA-C01 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This MLA-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MLA-C01 exam.