A security engineer at a company is required to limit a contractor's IAM account to access only the Amazon EC2 console within AWS, without providing any access to other AWS services. This restriction must be enforced such that even if the contractor's IAM account is later added to an IAM group with broader permissions, it should still be unable to access any other AWS services. What specific action should the security engineer implement to achieve this restricted access? | AWS Certified Security - Specialty Quiz