Which policy should the SysOps administrator apply to meet this requirement?

By:
On:
In: SOA-C02
Tagged:
With: 0 Comments
A SysOps administrator is responsible for the security of a company’s AWS account.The company has a policy that a user may stop or terminate Amazon EC2 instances only when the user is authenticated by using a multi-factor authentication (MFA) device.

Which policy should the SysOps administrator apply to meet this requirement?

{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “Allow”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”,”Condition”: {“Bool”: {“aws:MultiFactorAuthPresent”: “true”}}}]}

{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “Allow”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”}]}

{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “NotAction”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”,”Condition”: {“Bool”: {“aws:MultiFactorAuthPresent”: “true”}}}]}

{“Version”: “2012-10-17″,”Statement”: [{“Effect”: “Deny”,”Action”: [“ec2:StopInstances”,”ec2:TerminateInstances”],”Resource”: “*”,”Condition”: {“StringNotEqualsIfExists”: {“PrincipalServiceName”: “ec2.amazonaws.com”}}}]}

Explanations:

This policy allowsec2:StopInstancesandec2:TerminateInstancesactions only when the user is authenticated with MFA (aws:MultiFactorAuthPresentistrue). This directly meets the requirement.

This policy allowsec2:StopInstancesandec2:TerminateInstanceswithout any MFA requirement, which does not fulfill the policy that requires MFA authentication.

This policy usesNotAction, which is incorrect becauseNotActionapplies to not allowing specific actions, and the intention is to allow actions only with MFA.

This policy uses aDenystatement, which would prevent the actions if the condition is met. The requirement is to allow the actions only with MFA, not deny.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + three =