Exam AWS Certified Security - Specialty topic 1 question 195 discussion

A - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent "Recommended Combination - We recommend that you use the BoolIfExists operator to check whether a request is authenticated using MFA."

B. come on Guys! A says Bool"it"Exists

AWS recommends using "BoolIfExists" due to complicate evaluation interference with many resources when using MFA. Option A is correct.

A is wrong in this case because "BoolIfExists" doesn't exist. True it is recommended to use the "BoolIfExists" operator to ensure that all requests (including CLI commands AOI operations) are denied if without MFA. But in the question we know that it's roles that are being assumed and no scripts are involved. So the credentials that are used by the roles are temporary, so Bool should work perfectly. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent

BoolItExists does not exist so answer cannot be A but B.

Answer - A https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html Recommended Combination We recommend that you use the BoolIfExists operator to check whether a request is authenticated using MFA. "Effect" : "Deny", "Condition" : { "BoolIfExists" : { "aws:MultiFactorAuthPresent" :

The policy should be denied if no secure transport.

The condition statement in the policy should be as follows: "BoolIfExists": { "aws:MultiFactorAuthPresent": "false Therefore A is the correct answer.

A:Recommended Combination We recommend that you use the BoolIfExists operator to check whether a request is authenticated using MFA. ##### WARNING: NOT RECOMMENDED ##### "Effect" : "Deny", "Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : "false" } } https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent

A Read it in reverse order. No MFA exists > Deny

https://stackoverflow.com/questions/69847891/aws-iam-bool-v-s-boolifexists#71569399

It seems to be option A. This combination of Deny, BoolIfExists, and false denies requests that are not authenticated using MFA. Specifically, it denies requests from temporary credentials that do not include MFA. It also denies requests that are made using long-term credentials, such as AWS CLI or AWS API operations made using access keys. The *IfExists operator checks for the presence of the aws:MultiFactorAuthPresent key and whether or not it could be present, as indicated by its existence. Use this when you want to deny any request that is not authenticated using MFA. This is more secure, but can break any code or scripts that use access keys to access the AWS CLI or AWS API.

A https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html - See Recommended Combination

A is true B is wrong because in that case, not all scenarios will be incluided because aws:MultiFactorAuthPresent only is present when the call is using temporary credentials, if long term credentials are being used, then It will not be present thus the premission will be granted, to apply to al cases we must make sure that the aws:MultiFactorAuthPresent is in the call using "BoolIfExist"

A is correct

A is the right answer "The condition check for MultiFactorAuthPresent in the Deny statement should not be a {"Bool":{"aws:MultiFactorAuthPresent":false}} because that key is not present and cannot be evaluated when MFA is not used. So instead, use the BoolIfExists check to see whether the key is present before checking the value." https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_require-mfa.html

Answer is A, Read BoolItExists --> BoolfExists (that is a typo)