AWS Certified Security – Specialty — Question 228

A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.
A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.
Which solution should the security engineer recommend?

Answer options

• A. Add an aws:MultiFactorAuthPresent condition to the role's permissions policy.
• B. Add an aws:MultiFactorAuthPresent condition to the role's trust policy.
• C. Add an aws:MultiFactorAuthPresent condition to the session policy.
• D. Add an aws:MultiFactorAuthPresent condition to the S3 bucket policies.

Correct answer: B

Explanation

The correct answer is B because adding the aws:MultiFactorAuthPresent condition to the role's trust policy ensures that only users who have authenticated with MFA can assume the role, directly addressing the requirement. The other options are incorrect as they either apply conditions to policies that do not govern role assumption (like permissions or session policies) or are not relevant to the trust relationship needed for MFA authentication.