AWS Certified Security – Specialty — Question 149

A company has an AWS account and allows a third-party contractor, who uses another AWS account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts.
What should the company do to accomplish this?

Answer options

• A. Add the following condition to the IAM policy attached to all IAM roles: "Effect": "Deny", "Condition" : { "BoolItExists" : { "aws:MultiFactorAuthPresent" : false } }
• B. Add the following condition to the IAM policy attached to all IAM roles: "Effect": "Deny", "Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : false } }
• C. Add the following condition to the IAM policy attached to all IAM roles: "Effect": "Allow", "Condition" : { "Null" : { "aws:MultiFactorAuthPresent" : false } }
• D. Add the following condition to the IAM policy attached to all IAM roles: "Effect": "Allow", "Condition" : { "BoolItExists" : { "aws:MultiFactorAuthPresent" : false } }

Correct answer: A

Explanation

The correct option is A, which denies the action if multi-factor authentication is not present, effectively enforcing its use. Option B is incorrect because it uses the wrong condition type 'Bool' instead of 'BoolItExists'. Option C mistakenly allows access even when MFA is absent, and option D incorrectly allows access based on a condition that is not relevant for enforcing MFA requirements.