Logo
AWS Certified Solutions Architect - Professional / Question #983 of 529

Question #983

A solutions architect must ensure that a team of cloud engineers uses multi-factor authentication (MFA) when deleting objects from an Amazon S3 bucket. Each cloud engineer has an IAM user, IAM access keys, and a virtual MFA device. The IAM users are part of a group named S3-delete-access. The engineers must use MFA to perform any delete operations in Amazon S3.

Which solution meets these requirements?

A

Attach a bucket policy to the S3 bucket that requires MFA for delete operations. Use IAM access keys with the AWS CLI to interact with Amazon S3.
B

Modify the trust policy for the S3-delete-access group to enforce MFA during group assumption. Use IAM access keys with the AWS CLI to call Amazon S3.
C

Attach a policy to the S3-delete-access group that denies S3 delete actions unless MFA is authenticated. Use IAM access keys with the AWS CLI to call Amazon S3.
D

Attach a policy to the S3-delete-access group that denies S3 delete actions unless MFA is authenticated. Obtain temporary credentials via AWS STS and configure them in a profile referenced by Amazon S3 during operations.

Explanation

The correct answer is D. Here's why:

- Option D: Attaching a policy to the IAM group that denies S3 delete actions unless MFA is authenticated ensures that MFA is required. Using AWS STS to obtain temporary credentials (after MFA validation) and configuring them in the AWS CLI ensures that the MFA condition is met. Temporary credentials from STS include MFA context, satisfying the policy's aws:MultiFactorAuthPresent condition.

- Why Others Are Incorrect:
- A: A bucket policy requiring MFA would block access if access keys (without MFA) are used directly, as they lack MFA context.
- B: IAM groups do not have trust policies; trust policies apply to roles.
- C: Using access keys without temporary STS credentials cannot satisfy the MFA condition, resulting in denied deletions.

Key Points:
- MFA enforcement requires temporary credentials obtained via STS with MFA.
- IAM policies use aws:MultiFactorAuthPresent to check MFA usage.
- Access keys alone cannot transmit MFA status; STS is necessary.

Answer

The correct answer is: D