A company's security engineer has been tasked with restricting a contractor's IAM account access to the company’s Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.
What should the security engineer do to meet these requirements?
To ensure that the contractor's IAM account has access only to Amazon EC2 and is restricted from accessing any other AWS services, including those that might be granted through IAM group memberships, an IAM permissions boundary policy should be created. This boundary policy will allow Amazon EC2 access while defining the maximum permissions possible for the account, thereby effectively preventing access to any other services. This approach provides a robust mechanism to restrict the scope of access and adheres to the principle of least privilege, meeting the security requirements outlined.
IAM permissions boundary policy is a managed policy that defines the maximum permissions that an identity-based policy can grant to an IAM entity (user or role). It essentially acts as a safety net to prevent users and roles from exceeding their intended permissions.
Answer B https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_bound
B is the correct answer
Answer B
B is right
Only B talks about restricting the access, by using permission boundary. D - if you assign more than one role to the vendor, there's always risk that the instruction is not followed. A, C- regardless of feasibility, by creating allow doesn't block the vendor from accessing services other than EC2 instance.
Exam on 2023-12-18
What do you mean?
he Answer should be C, creating a inline does not deny him access to everything else and it also makes it harder to manager and scale.
the Answer should be C, creating a inline does not deny him access to everything else and it also makes it harder to manager and scale.
B makes more sense to me as it would explicitly define the specific service based IAM permissions policy which then can be associated with the contractor's IAM account which then help in restricting down his access to only at that service level in question.
IAM permissions boundary definition use.
A permissions boundary defines the maximum level of access that an IAM identity can have.
B Boundary defines limitation