ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 434 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 434
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer is attempting to assign a virtual multi-factor authentication (MFA) device to an IAM user whose current virtual MFA device is faulty. The security engineer receives an error message that indicates that the security engineer is not authorized to perform iam:DeleteVirtualMFADevice.

The IAM role that the security engineer is using has the correct permissions to delete, list, and create a virtual MFA device. The IAM user also has permissions to delete their own virtual MFA device, but only if the IAM user is authenticated with MFA.

What should the security engineer do to resolve this issue?

  • A. Modify the policy for the IAM user to allow the IAM user to delete the virtual MFA device without using MFA authentication.
  • B. Sign in as the AWS account root user. Modify the MFA device by using the IAM console to generate a new synchronization quick response (QR) code.
  • C. Use the AWS CLI or AWS API to find the ARN of the virtual MFA device and to delete the device.
  • D. Sign in as the AWS account root user. Delete the virtual MFA device by using the IAM console.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Shriraj32 at Nov. 19, 2022, 10:39 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Fyssy
Highly Voted 2 years, 5 months ago
Selected Answer: C
To resolve this issue, you or another administrator must delete the user's existing MFA device using the AWS CLI or AWS API. For more information, see I am not authorized to perform: iam:DeleteVirtualMFADevice. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-mfa-only.html
upvoted 12 times
cherry23
1 year, 9 months ago
A is wrong because even if you have permission you still need to login and this will need MFA
upvoted 1 times
...
...
TECHNOWARRIOR
Most Recent 1 year, 9 months ago
Option D is not the correct answer because it would require the security engineer to sign in as the AWS account root user. This is not necessary in this case, as the security engineer can use the AWS CLI or AWS API to delete the virtual MFA device without signing in as the AWS account root user. The correct answer is C. The security engineer is not authorized to perform the iam:DeleteVirtualMFADevice action because the IAM role that they are using does not have the correct permissions. The IAM user has permissions to delete their own virtual MFA device, but only if they are authenticated with MFA. To resolve this issue, the security engineer can use the AWS CLI or AWS API to find the ARN of the virtual MFA device and to delete the device.
upvoted 1 times
...
Granwizzard
1 year, 9 months ago
Selected Answer: D
if the security engineer is receiving the error how will option C will work? I believe it is D
upvoted 1 times
...
task_7
2 years ago
Selected Answer: D
https://repost.aws/knowledge-center/lost-broken-mfa
upvoted 2 times
...
Nan001
2 years, 2 months ago
Selected Answer: D
The error message indicates that the security engineer is not authorized to perform iam:DeleteVirtualMFADevice, so modifying the policy for the IAM user to allow the IAM user to delete the virtual MFA device without using MFA authentication (option A) is not a recommended solution. Option B suggests signing in as the AWS account root user, which is not recommended because it violates the AWS security best practice of using the root user only for AWS account and billing management purposes. Option C is a viable solution, but it requires additional steps to find the ARN of the virtual MFA device and to ensure that the IAM user is authenticated with MFA. Therefore, the best solution is to sign in as the AWS account root user and delete the virtual MFA device using the IAM console (option D). The root user has the necessary permissions to delete the virtual MFA device, and the IAM console provides a user-friendly interface to manage IAM resources. Once the virtual MFA device is deleted, the IAM user can re-assign a new virtual MFA device.
upvoted 2 times
Nan001
2 years, 2 months ago
I am taking it back, it is C.
upvoted 1 times
...
...
tainh
2 years, 4 months ago
Selected Answer: C
C is correct https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
upvoted 4 times
...
Shriraj32
2 years, 5 months ago
Selected Answer: C
it's C. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-mfa-only.html
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago