Which policy should the SysOps administrator apply to meet this requirement?
{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “Allow”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”,”Condition”: {“Bool”: {“aws:MultiFactorAuthPresent”: “true”}}}]}
{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “Allow”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”}]}
{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “NotAction”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”,”Condition”: {“Bool”: {“aws:MultiFactorAuthPresent”: “true”}}}]}
{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “Deny”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”,”Condition”: {“StringNotEqualsIfExists”: {“PrincipalServiceName”: “ec2.amazonaws.com”}}}]}
Explanations:
This policy allowsec2:StopInstancesandec2:TerminateInstancesactions only when the user is authenticated with MFA (aws:MultiFactorAuthPresentistrue). This directly meets the requirement.
This policy allowsec2:StopInstancesandec2:TerminateInstanceswithout any MFA requirement, which does not fulfill the policy that requires MFA authentication.
This policy usesNotAction, which is incorrect becauseNotActionapplies to not allowing specific actions, and the intention is to allow actions only with MFA.
This policy uses aDenystatement, which would prevent the actions if the condition is met. The requirement is to allow the actions only with MFA, not deny.
I have a feeling that the answer is:
{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “Allow”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”,”Condition”: {“Bool”: {“aws:MultiFactorAuthPresent”: “true”}}}]}