PAS-C01 IAM Policy Evaluation Logic Practice Question
This PAS-C01 practice question tests your understanding of operations and maintenance. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: iAM Policy Evaluation Logic. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
IAM policy attached to an EC2 instance role:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:DeleteSnapshot",
"Resource": "arn:aws:ec2:us-east-1:123456789012:snapshot/snap-0abcdef1234567890"
}
]
}
```
Refer to the exhibit. An operations team uses an EC2 instance with this IAM policy to manage EBS snapshots for SAP HANA backups. The backup script calls the DeleteSnapshot API for snapshot snap-0abcdef1234567890. What will happen?
Exhibit
Refer to the exhibit.
IAM policy attached to an EC2 instance role:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:DeleteSnapshot",
"Resource": "arn:aws:ec2:us-east-1:123456789012:snapshot/snap-0abcdef1234567890"
}
]
}
```
A
The snapshot will be deleted because the Deny applies only to other snapshots.
Why wrong: Incorrect. The Deny statement explicitly lists the snapshot ARN, so it applies directly to snap-0abcdef1234567890, not just 'other snapshots'.
B
The snapshot will be deleted because the Allow statement grants permission.
Why wrong: Incorrect. Even though there is an Allow statement, the explicit Deny overrides it, so the DeleteSnapshot call will be denied.
C
The policy is invalid and will cause an error.
Why wrong: Incorrect. The policy is valid; explicit Deny statements are a common and valid way to restrict actions on specific resources.
D
The DeleteSnapshot API call will be denied.
Correct. The explicit Deny on the specific snapshot ARN ensures the DeleteSnapshot API call is denied.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The DeleteSnapshot API call will be denied.
The correct answer is D. The IAM policy evaluation logic dictates that an explicit Deny overrides any Allow. Since the policy explicitly denies DeleteSnapshot for the specific snapshot snap-0abcdef1234567890, the API call will be denied even if an Allow statement exists. Option A is incorrect because the Deny is not restricted to 'other snapshots'; it specifically targets the snapshot in question. Option B is incorrect because the Allow does not override an explicit Deny. Option C is incorrect because the policy is syntactically valid; the explicit Deny is a legitimate policy statement.
Key principle: IAM Policy Evaluation Logic
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The snapshot will be deleted because the Deny applies only to other snapshots.
Why it's wrong here
Incorrect. The Deny statement explicitly lists the snapshot ARN, so it applies directly to snap-0abcdef1234567890, not just 'other snapshots'.
✗
The snapshot will be deleted because the Allow statement grants permission.
Why it's wrong here
Incorrect. Even though there is an Allow statement, the explicit Deny overrides it, so the DeleteSnapshot call will be denied.
✗
The policy is invalid and will cause an error.
Why it's wrong here
Incorrect. The policy is valid; explicit Deny statements are a common and valid way to restrict actions on specific resources.
✓
The DeleteSnapshot API call will be denied.
Why this is correct
Correct. The explicit Deny on the specific snapshot ARN ensures the DeleteSnapshot API call is denied.
Related concept
IAM Policy Evaluation Logic
Common exam traps
Common exam trap: answer the scenario, not the keyword
A common trap is to assume that an Allow statement always grants access. In AWS IAM, an explicit Deny takes precedence over any Allow, even if the Allow appears more specific.
Detailed technical explanation
How to think about this question
Treat this as a scenario question. Identify the problem, the constraint, and the best action. Then compare each option against those facts.
KKey Concepts to Remember
IAM Policy Evaluation Logic
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
IAM Policy Evaluation Logic
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Review iAM Policy Evaluation Logic, then practise related PAS-C01 questions on the same topic to reinforce the concept.
Operations and Maintenance — This question tests Operations and Maintenance — IAM Policy Evaluation Logic.
What is the correct answer to this question?
The correct answer is: The DeleteSnapshot API call will be denied. — The correct answer is D. The IAM policy evaluation logic dictates that an explicit Deny overrides any Allow. Since the policy explicitly denies DeleteSnapshot for the specific snapshot snap-0abcdef1234567890, the API call will be denied even if an Allow statement exists. Option A is incorrect because the Deny is not restricted to 'other snapshots'; it specifically targets the snapshot in question. Option B is incorrect because the Allow does not override an explicit Deny. Option C is incorrect because the policy is syntactically valid; the explicit Deny is a legitimate policy statement.
What should I do if I get this PAS-C01 question wrong?
Review iAM Policy Evaluation Logic, then practise related PAS-C01 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
IAM Policy Evaluation Logic
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This PAS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PAS-C01 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.