An organization has 4 people in the IT operations team who are responsible to manage the AWS
infrastructure. The organization wants to setup that each user will have access to launch and
manage an instance in a zone which the other user cannot modify. Which of the below mentioned
options is the best solution to set this up?
A.
Create four AWS accounts and give each user access to a separate account.
B.
Create an IAM user and allow them permission to launch an instance of a different sizes only.
C.
Create four IAM users and four VPCs and allow each IAM user to have access to separate VPCs.
D.
Create a VPC with four subnets and allow access to each subnet for the individual IAM user.
Explanation:
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user
can create subnets as per the requirement within a VPC. The VPC also work with IAM and the
organization can create IAM users who have access to various VPC services. The organization
can setup access for the IAM user who can modify the security groups of the VPC. The sample
policy is given below:
{
“Version”: “2012-10-17”,
“Statement”:
[{ “Effect”: “Allow”,
“Action”: “ec2:RunInstances”,
“Resource”:
[ “arn:aws:ec2:region::image/ami-*”,
“arn:aws:ec2:region:account:subnet/subnet-1a2b3c4d”,
“arn:aws:ec2:region:account:network-interface/*”,
“arn:aws:ec2:region:account:volume/*”,
“arn:aws:ec2:region:account:key-pair/*”,
“arn:aws:ec2:region:account:security-group/sg-123abc123” ] }]
}
With this policy the user can create four subnets in separate zones and provide IAM user access
to each subnet.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
C
Looks like C is the correct answer
The following policy grants users permission to launch instances into a specific subnet, and to use a specific security group in the request. The policy does this by specifying the ARN for subnet-1a2b3c4d, and the ARN for sg-123abc123. If users attempt to launch an instance into a different subnet or using a different security group, the request will fail (unless another policy or statement grants users permission to do so).