AWS Certified SysOps Administrator – Associate (legacy) — Question 315

An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?

Answer options

• A. Create an IAM policy with the security group and use that security group for AWS console login
• B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
• C. Configure the EC2 instance security group which allows traffic only from the organization's IP range
• D. Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console

Correct answer: B

Explanation

To restrict IAM console access to a specific corporate network, you must use an IAM policy with a conditional block utilizing the 'aws:SourceIp' key combined with an explicit 'Deny' effect for IP ranges outside the organization. Security groups are used to control traffic to EC2 instances and resources inside a VPC, not to control access to the AWS Management Console itself, making options A and C incorrect. Option D is incorrect because VPC-based policies do not directly restrict global console logins without utilizing IP-based conditions.