AWS Certified Solutions Architect – Professional SAP-C01 – Question127 - AWS Certified Solutions Architect

An organization has 4 people in the IT operations team who are responsible to manage the AWS infrastructure. The organization wants to setup that each user will have access to launch and manage an instance in a zone which the other user cannot modify.
Which of the below mentioned options is the best solution to set this up?

A. Create four AWS accounts and give each user access to a separate account.
B. Create an IAM user and allow them permission to launch an instance of a different sizes only.
C. Create four IAM users and four VPCs and allow each IAM user to have access to separate VPCs.
D. Create a VPC with four subnets and allow access to each subnet for the individual IAM user.

Correct Answer: D

Explanation:

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC also work with IAM and the organization can create IAM users who have access to various VPC services. The organization can setup access for the IAM user who can modify the security groups of the VPC. The sample policy is given below:
{
“Version”: “2012-10-17”,
“Statement”:
[
{ “Effect”: “Allow”,
“Action”: “ec2:RunInstances”,
“Resource”: [“arn:aws:ec2:region::image/ami-*”, “arn:aws:ec2:region:account:subnet/subnet-1a2b3c4d”, “arn:aws:ec2:region:account:network-interface/*”, “arn:aws:ec2:region:account:volume/*”, “arn:aws:ec2:region:account:key-pair/*”, “arn:aws:ec2:region:account:security-group/sg-123abc123” ]
}
]
}
With this policy the user can create four subnets in separate zones and provide IAM user access to each subnet.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html