AWS Certified Security – Specialty — Question 233

A company has an IAM group. All of the IAM users in the group have been assigned a multi-factor authentication (MFA) device and have full access to Amazon
S3.
The company needs to ensure that users in the group can perform S3 actions only after the users authenticate with MFA. A security engineer must design a solution that accomplishes this goal with the least maintenance overhead.
Which combination of actions will meet these requirements? (Choose two.)

Answer options

• A. Add a customer managed Deny policy to users in the group for s3:*actions.
• B. Add a customer managed Deny policy to the group for s3:*actions.
• C. Add a customer managed Allow policy to the group for s3:*actions.
• D. Add a condition to the policy: ג€Conditionג€ : { ג€BoolIfExistsג€ : { ג€aws:MultiFactorAuthPresentג€ : false } }
• E. Add a condition to the policy: ג€Conditionג€ : { ג€Boolג€ : { ג€aws:MultiFactorAuthPresentג€ : false } }

Correct answer: B, D

Explanation

Option B is correct because applying a Deny policy at the group level prevents all users in that group from performing S3 actions unless specified otherwise. Option D is also correct as it ensures that the actions are only allowed if MFA is present; if not, the policy denies access. The other options either do not effectively enforce the MFA requirement or are structured incorrectly.