AWS Certified Security – Specialty (SCS-C02) — Question 177

A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.

A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.

Which solution should the security engineer recommend?

Answer options

• A. Add an aws:MultiFactorAuthPresent condition to the role's permissions policy.
• B. Add an aws MultiFactorAuthPresent condition to the role’s trust policy.
• C. Add an aws:MultiFactorAuthPresent condition to the session policy.
• D. Add an aws:MultiFactorAuthPresent condition to the S3 bucket policies.

Correct answer: B

Explanation

The correct answer is B because adding the aws:MultiFactorAuthPresent condition to the role’s trust policy ensures that only users who are authenticated with MFA can assume the role. Options A, C, and D do not enforce MFA at the point of role assumption, which is necessary to meet the new requirement.