Exam AWS Certified Security - Specialty topic 1 question 274 discussion

Sorry it's B and D https://aws.amazon.com/premiumsupport/knowledge-center/enforce-mfa-other-account-access-bucket/

A, D. A over B because you cannot specify IAM groups as principals in a policy. ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

AD, group can not be the principle of resource policy

Deny if MultiFactorAuthPresent=false (not present)..if applicable (if exists). Note The condition check for MultiFactorAuthPresent in the Deny statement should not be a {"Bool":{"aws:MultiFactorAuthPresent":false}} because that key is not present and cannot be evaluated when MFA is not used. So instead, use the BoolIfExists check to see whether the key is present before checking the value. For more information, see ...IfExists condition operators. BD.

https://docs.aws.amazon.com/ko_kr/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-multifactorauthpresent BoolIfExists makes MFA be optional

Answer - BD reference for bool and boolifexist https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_require-mfa.html#:~:text=The%20condition%20check,condition%20operators.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html The answer is BD

To sum up: If you use deny policy, you should use boolifexists with mfapresent:false else on an allow policy, you should use bool with mfapresent:true.

it's BE, arguments for E: The "BoolIfExists" element is used when the policy condition can be optional. he requirement is to ensure that users in an IAM group can perform Amazon S3 actions only after authenticating with MFA. This is a mandatory requirement, not an optional one. Therefore, the "Bool" element should be used instead of "BoolIfExists". Using "BoolIfExists" would make the MFA authentication condition optional, which would defeat the purpose of the policy. If "BoolIfExists" were used, a user could potentially bypass the MFA requirement by not using their MFA device when accessing S3, which would create a security vulnerability.

A, D is the right answer. the question specifically mention the restriction for MFA should be there for the users in the IAM group, not the whole IAM group intself.

https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/

I think the confusion on this question is due to this: - You cannot use groups as principals in resource based policies - But you can attach IAM user policies to groups.

Who ever said AD - You're on crack. The answer is BD of course you can add policy to groups. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html AWS CLI: aws iam attach-group-policy AWS API: AttachGroupPolicy

A.D can't attach iam group to s3 bucket policy . https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Since the policy can be applied to a group, option B seems to be the best option.

The first part can explicitly deny those actions when the user doesn't authenticate using MFA (the condition "aws:MultiFactorAuthPresent": "false" is met), similar to the following: "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::example.accounta.bucket/*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }, For thoses who say that you cannot attach persmission policies to group. How about trying ? it takes 10 seconds to verify than you can Attach permissions policies - Optional (758)Info You can attach up to 10 policies to this user group. All the users in this group will have permissions that are defined in the selected policies.

Depending on the bool value of aws:MultiFactorAuthPresent should be different as follows: 1. "Effect": "Deny", ....., "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}} 2. "Effect": "Allow", ....., "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}