A network engineer is creating an IAM policy for a DevOps team. The team needs to manage VPN connections. What is the effect of this policy?
All actions are allowed on all resources.
Why this answer
The IAM policy grants the `ec2:*` action on VPN-related resources (`*vpn*`), which includes all VPN connection operations (create, modify, delete, describe) and associated resources like VPN gateways and customer gateways. This full wildcard on VPN resources enables complete lifecycle management, making option B correct.
Exam trap
AWS often tests the misconception that a wildcard resource ARN like `*vpn*` only covers VPN connections, but it actually includes all VPN-related resources (gateways, customer gateways), and the `ec2:*` action allows all operations, not just read or limited management.
How to eliminate wrong answers
Option A is wrong because the policy does not explicitly deny deletion; it allows all actions on VPN resources, including deletion. Option C is wrong because the policy uses a wildcard (`*vpn*`) that covers VPN connections, VPN gateways, and customer gateways, not just VPN connections. Option D is wrong because the policy grants full management actions (e.g., `CreateVpnConnection`, `DeleteVpnConnection`), not just read-only access like `DescribeVpnConnections`.