1 Answers
Looks like this is the relevant doc – https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html. I don’t see anything that could be used to control a public IP.
There’s an "AllocateAddress" action for assigning an Elastic IP, but that’s only one way to get a public IP. There’s an action for AssignPrivateIPAddresses, but no corresponding one for public IPs. I don’t see anything in the conditions that looks for a public IP. You could use conditions to only allow an EC2 to be created in a known private subnet, but that doesn’t seem to be a good answer.
It would be interesting to see how this is done. If it isn’t possible, AWS should definitely add it.
Thanks Brian, I’m with your analysis on this. I believe the Exam simulator is therefore incorrect in stating this is a correct answer.
What if one uses ec2:AssociatePublicIpAddress Filters access by whether the user wants to associate a public IP address with the instance Bool, if such condition is true, deny createInstance