AWS Certified SysOps Administrator – Associate (legacy) — Question 361

An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?

Answer options

• A. Launch the test and production instances in separate regions and allow region wise access to the group
• B. Define the IAM policy which allows access based on the instance ID
• C. Create an IAM policy with a condition which allows access to only small instances
• D. Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags

Correct answer: D

Explanation

Using resource tags with IAM policy conditions is the AWS best practice for environment segregation, as it allows for scalable Attribute-Based Access Control (ABAC). While mapping access directly to instance IDs is possible, it requires constant policy updates whenever instances are recreated. Restricting access by instance size or region is impractical and does not guarantee secure isolation between testing and production workloads.