Explanation:
To enforce MFA, AWS recommends using an explicit Deny statement with the BoolIfExists condition operator. BoolIfExists evaluates to true if the aws:MultiFactorAuthPresent key is present and evaluates to false, OR if the key is entirely missing (which happens when users use long-term credentials instead of MFA). Option A correctly denies the ability to stop or terminate instances if MFA is absent or unauthenticated.
Ultimate access to all questions.
Question 39
A SysOps administrator is responsible for the security of a company's AWS account. The company has a policy that a user may stop or terminate Amazon EC2 instances only when the user is authenticated by using a multi-factor authentication (MFA) device. Which policy should the SysOps administrator apply to meet this requirement?
A
{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["ec2:StopInstances","ec2:TerminateInstances"],"Resource":"*","Condition":{"BoolIfExists":{"aws:MultiFactorAuthPresent":"false"}}}]}
B
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ec2:StopInstances","ec2:TerminateInstances"],"Resource":"*","Condition":{"Bool":{"aws:MultiFactorAuthPresent":"true"}}}]}
C
{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["ec2:StopInstances","ec2:TerminateInstances"],"Resource":"*","Condition":{"Bool":{"aws:MultiFactorAuthPresent":"true"}}}]}
D
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ec2:StopInstances","ec2:TerminateInstances"],"Resource":"*","Condition":{"BoolIfExists":{"aws:MultiFactorAuthPresent":"false"}}}]}
No comments yet.