What should the company do to accomplish this?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company has an AWS account and allows a third-party contractor, who uses another AWS account, to assume certain IAM roles.The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts.

What should the company do to accomplish this?

Add the following condition to the IAM policy attached to all IAM roles: “Effect”: “Deny”, “Condition” : { “BoolItExists” : { “aws:MultiFactorAuthPresent” : false } }

Add the following condition to the IAM policy attached to all IAM roles: “Effect”: “Deny”, “Condition” : { “Bool” : { “aws:MultiFactorAuthPresent” : false } }

Add the following condition to the IAM policy attached to all IAM roles: “Effect”: “Allow”, “Condition” : { “Null” : { “aws:MultiFactorAuthPresent” : false } }

Add the following condition to the IAM policy attached to all IAM roles: “Effect”: “Allow”, “Condition” : { “BoolItExists” : { “aws:MultiFactorAuthPresent” : false } }

2025-09-30

1 Comment

  1. Jeremy
    Author

    In my opinion, the answer is:
    Add the following condition to the IAM policy attached to all IAM roles: “Effect”: “Deny”, “Condition” : { “BoolItExists” : { “aws:MultiFactorAuthPresent” : false } }

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × five =