Question-10: Suppose you attach a policy to an IAM user and specify condition such that request from a range of IP address (from your corporate network) can use AWS services like EBS, EC2 and KMS to encrypt and decrypt volume attached to EC2 instance. Now this same IAM user attempts to attach an encrypted volume to an EC2 instance and action fails even user has permission on all three required services. Why?
- Request from VPC which is not part of same AWS regions are not allowed.
- Request from different VPCs are not allowed.
- IP address is not listed correctly in the allowed list of IP addresses.
- Selected EC2 instance does not support encrypted EBS volume.
Detailed Explanation: If you don’t have correct knowledge than such options can confuse you and lead to choose wrong answer. In this case Request reaching to KMS to decrypt the volumes encrypted data key comes from the IP address of EC2 instance which does not allow IP addresses other than specified in the Policy Document. You allowed IP addresses from your corporate network but not the IP address of your EC2 instance. Similar issue can occur if you specify VPC based conditions in policy.