What additional step must be taken to ensure that API calls are authenticated using MFA?

By:
On:
In: SOA-C02
Tagged:
With: 0 Comments
A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API calls using the CLI.However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA.In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA.

What additional step must be taken to ensure that API calls are authenticated using MFA?

Enable MFA on IAM roles, and require IAM users to use role credentials to sign API calls.

Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI.

Restrict the IAM users to use of the console, as MFA is not supported for CLI use.

Require users to use temporary credentials from the get-session token command to sign API calls.

Explanations:

Enabling MFA on IAM roles would not directly solve the issue of ensuring MFA authentication for API calls made using the CLI. The MFA policy applies to IAM users, not roles.

Asking users to log into the AWS Management Console with MFA before making CLI API calls is unnecessary, as the requirement is to ensure MFA for API calls made through the CLI, not through the console.

Restricting IAM users to the console is not a viable solution. The company wants to enforce MFA for API calls through the CLI, not restrict its use.

Requiring users to use temporary credentials from theget-session-tokencommand ensures that MFA is used to authenticate API calls. This step is necessary to comply with the MFA policy in the IAM configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 2 =