A company wants to enforce strict security controls on its AWS environment. They want to ensure that all IAM users are required to use Multi-Factor Authentication (MFA) before they can access any AWS services via the CLI or Management Console. Which TWO actions should a solutions architect take to meet this requirement? (Select TWO.)

Answer options:

Create an IAM policy that denies all actions except IAM MFA management if the aws:MultiFactorAuthPresent condition is false.

Enable the 'Require MFA' setting in the AWS account settings.

Use AWS Config to automatically delete IAM users who do not have MFA enabled.

Attach the MFA enforcement IAM policy to an IAM group and place all users in that group.

Create a Service Control Policy (SCP) that requires MFA for all API calls.

How to approach this question

Look for the standard IAM condition key `aws:MultiFactorAuthPresent` and the best practice of applying policies to groups.

Full Answer

A,D

To enforce MFA, you create an IAM policy that uses the `aws:MultiFactorAuthPresent` condition key. If this evaluates to false, the policy denies all actions (except those needed to set up MFA). You then attach this policy to an IAM group containing all users.

Common mistakes

Assuming there is a simple global switch to force MFA for all users.

Question 06 All questions Question 08

Practice the full AWS SAA-C03 Practice Exam 1

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...Medium Q02A solutions architect is designing an application that will run on Amazon EC2 instances. The appl...Easy Q03A company wants to implement a federated identity solution for its employees to access the AWS Ma...Medium Q04A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The app...Hard Q05A company is hosting a web application on Amazon EC2 instances. The application connects to an Am...Medium

View all 65 questions →