Is there a method or command in the IAM system to allow or deny access to a specific instance?
A.
Only for VPC based instances
B.
Yes
C.
No
Explanation:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-evaldenyallow
– By default, all requests are denied. (In general, requests made using the account credentials for resources in
the account are always allowed.)
– An explicit allow overrides this default.
– An explicit deny overrides any allows.
ANS C
Amazon EC2 uses SSH keys, Windows passwords, and security groups to control who has access to the operating system of specific Amazon EC2 instances. There’s no method in the IAM system to allow or deny access to the operating system of a specific instance.
I assume they are not asking you about accessing to the OS, but about a way in IAM (allows/denies) to permit accessing a specific instance.
In my opinion B is right
You would be wrong then. There is no IAM method of controlling access to a specific instance inside of a VPC.
Yes, there is.
You can TAG instance and then deny all ec2 actions for tagged instance in IAM Policy.
C
This one is wrong. The answer is ‘C. No’
yes .. right the answer is C .. no access to specific instance can be denied
correct answer c
https://aws.amazon.com/premiumsupport/knowledge-center/restrict-ec2-iam/
C. NO
https://acloud.guru/forums/aws-certified-solutions-architect-associate/discussion/-KGlIZx-PxVVasgDy6u1/iam-controlling-access-on-specific-instances