A company is using AWS IAM Identity Center (AWS SSO). They want to enforce multi-factor authentication (MFA) for all users, but they want to allow users to register their own MFA devices without requiring administrator intervention. How can this be configured?

Answer options:

A.

Create an IAM policy that denies all actions unless aws:MultiFactorAuthPresent is true, and attach it to all users.

B.

Configure the MFA settings in IAM Identity Center to 'Require MFA' and enable 'Users can add and manage their own MFA devices'.

C.

Use AWS Directory Service for Microsoft Active Directory and configure MFA on the AD side.

D.

Write a custom AWS Lambda function to intercept login requests and prompt for MFA.

How to approach this question

Identify the native MFA configuration options within IAM Identity Center.

Full Answer

B.Configure the MFA settings in IAM Identity Center to 'Require MFA' and enable 'Users can add and manage their own MFA devices'.✓ Correct

AWS IAM Identity Center provides native configuration options to enforce MFA for all logins and allows administrators to enable self-service MFA device registration for users.

Common mistakes

Applying standard IAM MFA policies, which do not affect IAM Identity Center users.

Question 48 All questions Question 50

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01An enterprise has 50 VPCs across two AWS Regions. They need to establish transitive routing betwe...Hard Q02A company uses AWS Organizations. The security team wants to ensure that no IAM user or role can ...Medium Q03An application requires a relational database with an RPO of 1 second and an RTO of less than 1 m...Hard Q04A company is setting up a new multi-account environment. They want to automate the provisioning o...Medium Q05An organization wants to allocate AWS costs to specific business units. They use AWS Organization...Hard

View all 75 questions →