Back to AWS Identity and Access Management (IAM)

IAM Multi-Factor Authentication (MFA)

5 minutes 5 Questions

IAM Multi-Factor Authentication (MFA) is an added layer of account security used to verify users' identities by requiring them to provide two or more factors during the authentication process. MFA is a critical component of an AWS account's security and is especially vital when accessing AWS Manage…

Test mode:
Start practice test
AWS Certified Solutions Architect - IAM Multi-Factor Authentication (MFA) Example Questions

Test your knowledge of IAM Multi-Factor Authentication (MFA)

Question 1

An organization wants IAM users in its account to access a specific S3 bucket only when they authenticate with MFA. You will attach a policy to the IAM users (not the bucket). Which policy condition should you use to enforce this requirement?

Correct Answer: Create a policy with 'aws:MultiFactorAuthPresent' as a condition.

To require MFA for IAM users accessing an S3 bucket using a policy attached to those users, include the condition key aws:MultiFactorAuthPresent and set it to true in the Allow statement. This ensures access is granted only when the user is authenticated with MFA. Modifying the bucket policy is not what this question asks (it specifies attaching a policy to users), AmazonS3FullAccess does not enforce MFA, and aws:MultiFactorAuthAbsent is typically used in explicit Deny statements rather than in an Allow to enforce MFA.

Question 2

A company wants to enforce 2-step verification for their AWS Management Console users. How should the IAM administrator set up Multi-Factor Authentication (MFA)?

Correct Answer: Enable MFA in the user's IAM settings and require users to apply MFA device.

To enforce Multi-Factor Authentication for IAM users, the administrator must enable MFA in each user's IAM settings and require the users to configure their selected MFA device. Other options are irrelevant or not related to the IAM MFA enforcement.

Question 3

A company wants to use MFA for their AWS Management Console but don't want to invest in hardware MFA devices. Which alternative can the IAM administrator suggest?

Correct Answer: Use a virtual MFA device like Google Authenticator or Authy.

Virtual MFA devices such as Google Authenticator or Authy provide MFA functionality without needing a hardware device. Other options are either not practical, insecure, or do not provide MFA at all.

More IAM Multi-Factor Authentication (MFA) questions
15 questions (total)
Start 15 question test