AWS Certified SysOps Administrator – Associate (legacy) — Question 836

An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants a particular group of IAM users to access only the test instances and not the production ones. They want to deploy the instances in various locations based on the factors that will change from time to time, especially in the test group. They expect instances will often need to be churned, i.e. deleted and replaced, especially in the testing group. This means the five instances they have created now will soon be replaced by a different set of five instances. The members of each group, produc-tion and testing, will not change in the foreseeable future. Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy?

Answer options

• A. By creating an IAM policy with a condition that allows access to only small instances
• B. By defining the IAM policy that allows access based on the instance ID
• C. By launching the test and production instances in separate regions and allowing region wise ac-cess to the group
• D. By defining the tags on the test and production team members IAM user IDs, and adding a con-dition to the IAM policy that allows access to specific tags

Correct answer: D

Explanation

Tag-based access control (ABAC) is the most efficient and scalable approach because it allows permissions to automatically apply to new instances as long as they are tagged correctly, eliminating the need to update IAM policies when instances are churned. Using instance IDs is impractical due to constant replacement, and restricting access by region limits the flexibility of deploying instances in changing locations. Restricting by instance size is insecure and does not align with functional environment boundaries.