AWS Certified Cloud Practitioner

Get started today

Ultimate access to all questions.

Explanation:

BoolIfExists evaluates the condition only if the key exists. When aws:MultiFactorAuthPresent is false (no MFA), the Deny triggers. Sessions authenticated with MFA have this key set to true and are not denied.

Explanation:

Comments (0)

No comments yet.

Question 6

A policy uses the aws:MultiFactorAuthPresent condition key as shown. When will access be denied?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Real Exam

Community

RRitesh

Last updated: May 8, 2026 at 17:59

Always — s3:DeleteObject is always denied

0.0%

When the request is made without MFA authentication

50.0%

Only for IAM users; IAM roles are unaffected

When MFA is present in the session

50.0%