Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 454 discussion

D STS seems to be the answer https://advancedweb.hu/aws-how-to-secure-access-keys-with-mfa/ https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html

The other options have limitations or do not fully meet the requirements: Option A (bucket policy with MFA prompt) does not enforce MFA for all S3 actions and may not work consistently with the AWS CLI. Option B (trust policy update for the group) does not enforce MFA for S3 actions specifically and may not work as intended with the AWS CLI. Option C (deny policy without temporary credentials) would require the cloud engineers to use their long-term IAM access keys, which is less secure and does not follow the principle of least privilege. By using temporary credentials obtained from AWS STS with MFA enforcement and attaching them to a named profile in the AWS CLI, you can provide a secure way for the cloud engineers to perform S3 operations while ensuring that MFA is required for those actions.

Option D uses IAM access keys with the AWS CLI and requests temporary credentials from AWS Security Token Service (AWS STS) that include MFA. This solution ensures that cloud engineers must use MFA when performing actions in Amazon S3 while also providing a secure way to use the AWS CLI. This approach aligns with the requirements of using MFA for S3 actions, minimizing security risks, and ensuring compliance with organizational policies.

access keys with AWS CLI will just skip the MFA

D is the correct answer, as STS is required here.

A & C are incorrect - Using IAM access keys with the AWS CLI would bypass the requirement for MFA. Not B - MFA should be required for specific actions, not just when assuming a role or group.