AWS Certified Security – Specialty — Question 306

A security engineer is attempting to assign a virtual multi-factor authentication (MFA) device to an IAM user whose current virtual MFA device is faulty. The security engineer receives an error message that indicates that the security engineer is not authorized to perform iam:DeleteVirtualMFADevice.

The IAM role that the security engineer is using has the correct permissions to delete, list, and create a virtual MFA device. The IAM user also has permissions to delete their own virtual MFA device, but only if the IAM user is authenticated with MFA.

What should the security engineer do to resolve this issue?

Answer options

• A. Modify the policy for the IAM user to allow the IAM user to delete the virtual MFA device without using MFA authentication.
• B. Sign in as the AWS account root user. Modify the MFA device by using the IAM console to generate a new synchronization quick response (QR) code.
• C. Use the AWS CLI or AWS API to find the ARN of the virtual MFA device and to delete the device.
• D. Sign in as the AWS account root user. Delete the virtual MFA device by using the IAM console.

Correct answer: C

Explanation

Since the security engineer's IAM role already has the necessary permissions to delete virtual MFA devices, they can bypass console-related context limitations by performing the deletion programmatically. Using the AWS CLI or AWS API allows the engineer to target the device's ARN directly and delete it without needing to alter the user's policy or use the AWS account root user, which violates security best practices.