What should the DevOps engineer do to meet these requirements?
In AWS SSO, configure always-on MFBlock user sign-in when a user does not yet have a registered MFA device.
In AWS SSO, configure always-on MFA. Require a user to register an MFA device at sign-in when the user does not yet have a registered MFA device.
In AWS SSO, configure context-aware MFA. Update the trust policy of all permission sets to include the aws:MultiFactorAuthPresent condition on the sts:AssumeRole action.
In AWS SSO, configure context-aware MFA. Block user sign-in when a user does not yet have a registered MFA device.
Explanations:
AWS SSO does not support blocking user sign-in solely based on the absence of a registered MFA device. This option does not meet the requirement to ensure users manage their MFA devices and are prompted for MFA every time they sign in.
This option ensures that MFA is always required. It prompts users to register an MFA device during sign-in if one is not already registered. This meets the requirements of MFA enforcement and user management of their own MFA devices.
Context-aware MFA is based on conditions like IP address or location, and it does not enforce MFA every time a user signs in. Additionally, it doesn’t align with the requirement that users should manage their own MFA devices.
Context-aware MFA is designed to apply based on conditions like the user’s location or device status, not requiring MFA every time a user signs in. Also, blocking sign-in based solely on the lack of an MFA device does not meet the requirement for users to manage their MFA devices themselves.
I evaluate that the answer is:
In AWS SSO, configure always-on MFA. Require a user to register an MFA device at sign-in when the user does not yet have a registered MFA device.