Domain 1.2: Security Controls — AWS SAP-C02 Practice Question 58

How to approach this question

Identify the IAM condition key for MFA.

Full Answer

B.Attach an IAM policy to all users that denies all actions unless the aws:MultiFactorAuthPresent condition key is true.✓ Correct

Attach an IAM policy to all users that denies all actions unless the aws:MultiFactorAuthPresent condition key is true.

To enforce MFA for API/CLI access for IAM users, you must use an IAM policy with the `aws:MultiFactorAuthPresent` condition key set to `true`. Users must then use `sts:GetSessionToken` with their MFA code to get temporary credentials.

Common mistakes

Assuming enabling MFA in the console automatically protects the CLI.

A company requires that all IAM users authenticate using Multi-Factor Authentication (MFA) before they can access any AWS APIs via the CLI. How can the Solutions Architect enforce this requirement globally across the AWS account?

How to approach this question

Full Answer

Common mistakes

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7

More questions from this exam