While preparing for the AWS SAA-C03, many candidates get confused by IAM policy condition keys. In the real world, this is fundamentally a decision about Security Perimeter vs. Operational Flexibility. Let’s drill into a simulated scenario.
The Scenario #
TechFlow Industries operates a hybrid cloud infrastructure where development teams manage EC2 workloads across multiple AWS regions. The security team has identified a compliance requirement: only administrators connecting from the corporate VPN gateway (source IP: 10.100.100.254) should be able to terminate production EC2 instances in the primary us-east-1 region.
The Cloud Security Architect created an IAM policy and attached it to the ProductionAdmins IAM group containing 12 engineers. The policy includes conditions based on the requester’s source IP address and the target AWS region.
Key Requirements #
Determine the actual effect of the following IAM policy structure:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.100.100.254/32"
},
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}The Options #
- A) Users can terminate EC2 instances in any AWS region except us-east-1.
- B) Users can terminate EC2 instances in us-east-1 only if the instance’s private IP address is 10.100.100.254.
- C) When the user’s source IP is 10.100.100.254, they can terminate EC2 instances in us-east-1.
- D) When the user’s source IP is 10.100.100.254, they cannot terminate EC2 instances in us-east-1.
Correct Answer #
C) When the user’s source IP is 10.100.100.254, they can terminate EC2 instances in us-east-1.
Step-by-Step Winning Logic #
This IAM policy uses positive conditional logic with an Allow effect:
- Effect: Allow → The policy grants permissions when conditions are met
- Condition 1 (IpAddress): The requester’s source IP must be
10.100.100.254 - Condition 2 (StringEquals): The target region must be
us-east-1 - Boolean Logic: BOTH conditions must be true (implicit AND operation)
Result: Users can terminate EC2 instances in us-east-1 only when they are connecting from IP address 10.100.100.254 (typically the corporate VPN endpoint).
💎 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
🔐 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
🔐 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
-
Why not A? This reverses the logic. The policy does NOT create a “NotEquals” exclusion for us-east-1. Without additional policies, users have no permissions in other regions.
-
Why not B? This confuses
aws:SourceIp(the requester’s IP address) with the EC2 instance’s IP address. The condition checks who is making the API call, not the target resource’s IP. -
Why not D? This misinterprets the
Alloweffect asDeny. The policy grants permissions when conditions match; it doesn’t block access when conditions are true.
🔐 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs—and the failure points of simpler options—immediately clear.
graph TD
Admin([Admin User
Source IP: 10.100.100.254]) -->|API Call:
TerminateInstances| IAM[IAM Policy Evaluation]
IAM -->|Condition Check 1| IP{aws:SourceIp
= 10.100.100.254?}
IP -->|No| Deny[Implicit Deny]
IP -->|Yes| Region{aws:RequestedRegion
= us-east-1?}
Region -->|No| Deny
Region -->|Yes| Allow[Allow Effect:
ec2:TerminateInstances]
Allow --> EC2[EC2 Instance
us-east-1]
EC2 -->|Terminate| Success[✓ Instance Terminated]
Deny --> Fail[✗ Access Denied]
style Allow fill:#90EE90,stroke:#333
style Deny fill:#FFB6C1,stroke:#333
style Success fill:#87CEEB,stroke:#333
Diagram Note: The policy evaluates two conditions sequentially; both must be true for the Allow effect to grant ec2:TerminateInstances permission in us-east-1.
🔐 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made—and often misjudged—in practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
For the SAA-C03 exam, remember: aws:SourceIp in a Condition block with Allow effect means permissions are granted only when the IP matches. Always check the Effect type first.
Real World #
In production environments, we typically enhance this pattern with:
- VPC Endpoint Policies to restrict EC2 API calls to private network paths
- SCP (Service Control Policies) at the AWS Organizations level for defense-in-depth
- CloudTrail + EventBridge to alert on ec2:TerminateInstances calls from non-compliant IPs
- Session Manager integration to avoid exposing management IPs entirely
- Time-based conditions (
aws:CurrentTime) to restrict termination to maintenance windows
The pure IP-based approach has limitations:
- VPN IP addresses can change during failover
- NAT gateways may complicate source IP tracking
- Mobile/remote workers require VPN connectivity (operational friction)
Modern alternatives include AWS SSM Session Manager with IAM-based controls that eliminate IP dependency entirely.