ExpertMedium1 markMultiple Choice
AWS SAA-C03 · Question 05 · Domain 1.1: Secure Access
A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. How can a Solutions Architect implement this requirement?
A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. How can a Solutions Architect implement this requirement?
Answer options:
A.
Enable MFA Delete on the EC2 instances.
B.
Create an IAM policy with a condition 'aws:MultiFactorAuthPresent': 'true' for the ec2:TerminateInstances action.
C.
Use AWS Organizations SCPs to enforce MFA for all API calls.
D.
Configure AWS CloudTrail to block termination requests lacking MFA.
How to approach this question
Look for IAM policy conditions. The 'aws:MultiFactorAuthPresent' key is used to enforce MFA for specific actions.
Full Answer
B.Create an IAM policy with a condition 'aws:MultiFactorAuthPresent': 'true' for the ec2:TerminateInstances action.✓ Correct
Create an IAM policy with a condition 'aws:MultiFactorAuthPresent': 'true' for the ec2:TerminateInstances action.
You can use the aws:MultiFactorAuthPresent condition key in an IAM policy to specify that MFA must be used to perform specific actions, like terminating instances.
Common mistakes
Thinking MFA Delete applies to EC2 (it only applies to S3).
Practice the full AWS SAA-C03 Practice Exam 7
65 questions · hints · full answers · grading
More questions from this exam
Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team needs...MediumQ02An application runs on Amazon EC2 instances and needs to access an Amazon S3 bucket. What is the ...EasyQ03A company wants to implement federated access to the AWS Management Console for its employees usi...MediumQ04A company is building a mobile application that requires users to sign in using their social medi...EasyQ06A company needs to grant a third-party vendor access to an S3 bucket in its AWS account. The vend...Hard