An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM
console only within the organization and not from outside. How can it achieve this?

A.
Create an IAM policy with the security group and use that security group for AWS console login

B.
Create an IAM policy with a condition which denies access when the IP address range is not from the
organization

C.
Configure the EC2 instance security group which allows traffic only from the organization’s IP range

D.
Create an IAM policy with VPC and allow a secure gateway between the organization and AWS
Console

Explanation:

AWS Identity and Access Management is a web service which allows organizations to manage users and user
permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition
can be set on AWS Tags, Time, and Client IP as well as on many other parameters. If the organization wants the
user to access only from a specific IP range, they should set an IAM policy condition which denies access when
the IP is not in a certain range. E.g. The sample policy given below denies all traffic when the IP is not in a
certain range.
“Statement”: [{
“Effect”: “Deny”,
“Action”: “*”,
“Resource”: “*”,
“Condition”: {
“NotIpAddress”: {
“aws:SourceIp”: [“10.10.10.0/24”, “20.20.30.0/24”]
}}
}]