AWS Certified Solutions Architect – Professional (SAP-C02) — Question 446

A solutions architect must provide a secure way for a team of cloud engineers to use the AWS CLI to upload objects into an Amazon S3 bucket. Each cloud engineer has an IAM user, IAM access keys, and a virtual multi-factor authentication (MFA) device. The IAM users for the cloud engineers are in a group that is named S3-access. The cloud engineers must use MFA to perform any actions in Amazon S3.

Which solution will meet these requirements?

Answer options

• A. Attach a policy to the S3 bucket to prompt the IAM user for an MFA code when the IAM user performs actions on the S3 bucket. Use IAM access keys with the AWS CLI to call Amazon S3.
• B. Update the trust policy for the S3-access group to require principals to use MFA when principals assume the group. Use IAM access keys with the AWS CLI to call Amazon S3.
• C. Attach a policy to the S3-access group to deny all S3 actions unless MFA is present. Use IAM access keys with the AWS CLI to call Amazon S3.
• D. Attach a policy to the S3-access group to deny all S3 actions unless MFA is present. Request temporary credentials from AWS Security Token Service (AWS STS). Attach the temporary credentials in a profile that Amazon S3 will reference when the user performs actions in Amazon S3.

Correct answer: D

Explanation

To enforce MFA with the AWS CLI, users must request temporary security credentials using AWS STS (e.g., via the get-session-token API) because long-term access keys cannot directly transmit MFA codes. By implementing an IAM policy on the group that denies S3 access without MFA ('aws:MultiFactorAuthPresent': 'false'), engineers are forced to use these MFA-validated temporary credentials. Option B is incorrect because IAM groups do not support trust policies, and options A and C fail because standard API calls using long-term access keys cannot satisfy the MFA condition.