ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 264 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 264
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.
A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.
Which solution should the security engineer recommend?

  • A. Add an aws:MultiFactorAuthPresent condition to the role's permissions policy.
  • B. Add an aws:MultiFactorAuthPresent condition to the role's trust policy.
  • C. Add an aws:MultiFactorAuthPresent condition to the session policy.
  • D. Add an aws:MultiFactorAuthPresent condition to the S3 bucket policies.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by stamford at Aug. 25, 2021, 6:05 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kiev
Highly Voted 3 years, 8 months ago
B after much thinking. The issue is with the role and not the bucket. Since the role is sensitive,, it means we need MFA before we assume that role and thus B is the answer.
upvoted 15 times
timlow84
3 years, 6 months ago
Yes agreed. We want to enforce MHA on the IAM users, and not on the bucket.
upvoted 1 times
timlow84
3 years, 6 months ago
MFA (typo)
upvoted 1 times
...
...
sapien45
2 years, 9 months ago
Certainly appreciate the ''much thinking'' ... but the whole point of this, is to prove your points with AWS official litterature, and not feelings. https://aws.amazon.com/blogs/security/how-do-i-protect-cross-account-access-using-mfa-2/ It is important to note that the MFA condition can be specified only in the role trust policy (and not in the role access policy discussed below). It controls whether MFA is required or not to assume the role.
upvoted 7 times
...
...
raoconn
Highly Voted 3 years, 8 months ago
Both B and D block access, but B does so when the user tries to authenticate https://aws.amazon.com/blogs/security/how-do-i-protect-cross-account-access-using-mfa-2/
upvoted 8 times
sapien45
2 years, 11 months ago
Great Link, B
upvoted 2 times
...
...
Raphaello
Most Recent 1 year, 3 months ago
Selected Answer: B
B is the correct answer. Need MFA to assume the role..not to access S3. The role could have other permissions in its permissions policy, so the MFA is dependent on its trust policy not any of its permission policy (services).
upvoted 1 times
...
Raphaello
1 year, 3 months ago
Selected Answer: B
Correct answer is B. -------- { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": {"AWS": "ACCOUNT-B"}, "Action": "sts:AssumeRole", "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} } } --------
upvoted 1 times
...
Olawale100
1 year, 8 months ago
The correct answer is B. This is because the role needs to be checked for MFA first before proceeding to S3 bucket policy. Security principles should apply close to the resource.
upvoted 1 times
...
Noexperience
1 year, 11 months ago
D is correct https://repost.aws/knowledge-center/enforce-mfa-other-account-access-bucket
upvoted 1 times
...
Smartphone
2 years, 4 months ago
B is correct answer. https://aws.amazon.com/blogs/security/how-do-i-protect-cross-account-access-using-mfa-2/
upvoted 2 times
...
Jimmy123
2 years, 4 months ago
Selected Answer: B
The security engineer should recommend adding an aws:MultiFactorAuthPresent condition to the role's trust policy. This will ensure that only users who have been authenticated with multi-factor authentication (MFA) are able to assume the role and access the sensitive documents in the Amazon S3 buckets in Account A. This solution meets the requirement with minimum risk and effort.
upvoted 1 times
...
jishrajesh
2 years, 5 months ago
selected B
upvoted 1 times
...
dcasabona
2 years, 10 months ago
Selected Answer: B
Great link raoconn...
upvoted 1 times
...
JOKERO
3 years ago
the question is : A new requirement requires ""users"" to be verified using multi-factor authentication before they may accept the job (MFA). For me, it doesn't say only users from Account B. so my answer ----> D
upvoted 1 times
...
MoreOps
3 years, 1 month ago
Selected Answer: B
After reviewing the discussions I too think that B is the answer
upvoted 2 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: D
I prefer D to B for 'least amount of risk and effort'. The bucket is protected even if any new role/user is granted access without MFA. The drawback is some conditions are needed to allow access of some uploading processes that cannot use MFA, such as application, scheduled uploading...
upvoted 1 times
...
ceros399
3 years, 2 months ago
Selected Answer: D
D - will work, and if you think, it is more scalable, you make sure that no matter which account is triying to access the bucket, every account will require MFA enabled.
upvoted 2 times
dmmbr
2 years, 9 months ago
A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA).
upvoted 1 times
...
...
Binno
3 years, 3 months ago
My answer is D, add MFA condition to bucket policy Reference: https://aws.amazon.com/premiumsupport/knowledge-center/enforce-mfa-other-account-access-bucket/
upvoted 1 times
...
lotfi50
3 years, 3 months ago
Selected Answer: B
the good answer is B
upvoted 1 times
...
ideoignus
3 years, 3 months ago
Selected Answer: D
Note The temporary credentials that AssumeRole returns won't work in this case. Although the user can provide MFA information to assume a role, the temporary credentials returned by AssumeRole don't include the MFA information. That information is required in order to meet the MFA condition in the policy. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html#MFAProtectedAPI-resource-policies
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel