An organization has setup multiple IAM users. The organization wants that each IAM user
accesses the IAM console only within the organization and not from outside. How can it achieve

this?

A.
Create an IAM policy with the security group and use that security group for AWS console login

B.
Create an IAM policy with a condition which denies access when the IP address range is not
from the
organization

C.
Configure the EC2 instance security group which allows traffic only from the organization’s IP
range

D.
Create an IAM policy with VPC and allow a secure gateway between the organization and AWS
Console

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage
users and user permissions for various AWS services. The user can add conditions as a part of
the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on many
other parameters. If the organization wants the user to access only from a specific IP range, they
should set an IAM policy condition which denies access when the IP is not in a certain range. E.g.
The sample policy given below denies all traffic when the IP is not in a certain range.
“Statement”: [{
“Effect”: “Deny”,
“Action”: “*”,
“Resource”: “*”,
“Condition”: {
“NotIpAddress”: {
“aws:SourceIp”: [“10.10.10.0/24”, “20.20.30.0/24”]
}}
}]