A solutions architect must analyze and update a company's existing IAM policies prior to deploying a new workload. The solutions architect created the following policy: What is the net effect of this policy?
A.
Users will be allowed all actions except s3:PutObject if multi-factor authentication (MFA) is enabled.
B.
Users will be allowed all actions except s3:PutObject if multi-factor authentication (MFA) is not enabled.
C.
Users will be denied all actions except s3:PutObject if multi-factor authentication (MFA) is enabled.
D.
Users will be denied all actions except s3:PutObject if multi-factor authentication (MFA) is not enabled.
And answer is D. similar situation at below link saying The following conditional example denies access to non-IAM actions if the user is not signed in using MFA
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
Notes:
Note:
"Effect": "Deny"
* = All resources
NotAction:S3:PutObject = Except S3:PutObject
Condition: aws:MultiFactorAuthPresent:false = If MFA is not enabled
Guys, I think C is the correct answer here. The NoAction element means deny all except s3:PutObject. The condition BoolIfExists: "aws:MultiFactorAuthPresent": "false" deny the action when the user doesn't authenticate using MFA.
Source:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
https://aws.amazon.com/premiumsupport/knowledge-center/enforce-mfa-other-account-access-bucket
Unless the answers changed since you wrote this, you chose C but your reasoning is D.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent
it's C:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent
"Effect" : "Deny",
"Condition" : { "BoolIfExists" : { "aws:MultiFactorAuthPresent" : "false" } }
This combination of Deny, BoolIfExists, and false denies requests that are not authenticated using MFA.
so if MFA is disabled - Put API is denied.
D means - everything is denied if MFA is enabled... serioursly?
and on a side note - who would allow PutObject without authing them?
NotAction is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction can result in a shorter policy by listing only a few actions that should not match, rather than including a long list of actions that will match. When using NotAction, you should keep in mind that actions specified in this element are the only actions in that are limited. This, in turn, means that all of the applicable actions or services that are not listed are allowed if you use the Allow effect.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
dmscountera
Highly Voted 3 years, 11 months agocrazyaboutazure
3 years, 10 months agocrazyaboutazure
3 years, 10 months agocrazyaboutazure
3 years, 10 months agonoahsark
3 years, 9 months agosic6sic
Highly Voted 3 years, 10 months agolc76262
3 years, 10 months agoMicrogen
3 years, 8 months agoDT_Exams
3 years, 1 month agoslackbot
Most Recent 2 years, 1 month agoBECAUSE
2 years, 2 months agonVizzz
3 years agoqueen101
3 years agomarklovesaws143
3 years agoslcheng
3 years, 1 month agoamy_xie
3 years, 1 month agoDriVen
3 years, 4 months agoIrfanHossain
3 years, 6 months agojoe2211
3 years, 7 months agoAmmart90
3 years, 8 months agoprex
3 years, 8 months agoRathanKalluri
3 years, 8 months agojd2
3 years, 8 months agojd2
3 years, 8 months agosoneM
3 years, 8 months ago