ExpertAWS SAP-C02 · Question 18 · Domain 1.2: Security Controls
A company requires that all IAM users authenticate using MFA before assuming any cross-account roles. They have a central Identity account and multiple workload accounts. How can the Solutions Architect enforce this requirement globally across the Organization?
A company requires that all IAM users authenticate using MFA before assuming any cross-account roles. They have a central Identity account and multiple workload accounts. How can the Solutions Architect enforce this requirement globally across the Organization?
Answer options:
Create an SCP attached to the root OU that denies the sts:AssumeRole action if the aws:MultiFactorAuthPresent condition key is false.
Update the trust policy of every IAM role in the workload accounts to require MFA.
Enable the 'Require MFA for cross-account access' setting in AWS IAM Identity Center.
Use AWS Config to detect roles without MFA requirements and delete them.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4
75 questions · hints · full answers · grading