Exam AWS-SysOps topic 1 question 602 discussion

Exam question from Amazon's AWS-SysOps

Question #: 602
Topic #: 1

A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API-calls using the CLI. However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA.
What additional step must be taken to ensure that API calls are authenticated using MFA?

A. Enable MFA on IAM roles, and require IAM users to use role credentials to sign API calls.
B. Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI.
C. Restrict the IAM users to use of the console, as MFA is not supported for CLI use.
D. Require users to use temporary credentials from the get-session token command to sign API calls.

Show Suggested Answer

Suggested Answer: D 🗳️
Reference:
https://aws.amazon.com/iam/faqs/
(Multi-factor authentication)

by saumenP at Oct. 22, 2019, 12:49 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

aksliveswithaws

Highly Voted 10 months, 2 weeks ago

D is correct Ref = https://aws.amazon.com/iam/faqs/ FAQ: Q: How can IAM users request temporary security credentials for their own use? IAM users can request temporary security credentials for their own use by calling the AWS STS GetSessionToken API. The default expiration for these temporary credentials is 12 hours; the minimum is 15 minutes, and the maximum is 36 hours. You can also use temporary credentials with Multi-Factor Authentication (MFA)-Protected API Access.

upvoted 7 times

...