What should the security engineer do to resolve this issue?
Modify the policy for the IAM user to allow the IAM user to delete the virtual MFA device without using MFA authentication.
Sign in as the AWS account root user. Modify the MFA device by using the IAM console to generate a new synchronization quick response (QR) code.
Use the AWS CLI or AWS API to find the ARN of the virtual MFA device and to delete the device.
Sign in as the AWS account root user. Delete the virtual MFA device by using the IAM console.
Explanations:
Modifying the IAM user’s policy to allow deletion without MFA authentication would violate the principle of least privilege. It’s better to resolve the issue by using the proper IAM roles and permissions.
Signing in as the AWS account root user and modifying the MFA device through the IAM console is not necessary. The security engineer’s IAM role already has the correct permissions for the task.
The security engineer can use the AWS CLI or AWS API to delete the virtual MFA device. This method bypasses the MFA requirement for the IAM user, as the engineer’s IAM role has the necessary permissions to delete the device.
Signing in as the AWS account root user should be avoided unless absolutely necessary. It is not required in this case, as the security engineer’s IAM role has the necessary permissions to delete the MFA device.
If I’m not mistaken, the answer is:
Use the AWS CLI or AWS API to find the ARN of the virtual MFA device and to delete the device.