Which two of the following options would allow an organization to enforce this policy for AWS users?
(Choose two.)
Configure multi-factor authentication for privileged 1AM users
Create 1AM users for privileged accounts
Implement identity federation between your organization’s Identity provider leveraging the 1AM Security Token Service
Enable the 1AM single-use password policy option for privileged users
Explanations:
Enabling multi-factor authentication (MFA) for privileged IAM users strengthens security by requiring a second factor (something the user has) in addition to the password (something the user knows), which aligns with the policy requiring additional security layers.
Creating IAM users for privileged accounts does not necessarily enforce the use of frequently rotated passwords or one-time access credentials. This option alone doesn’t enforce the policy specified.
Implementing identity federation and leveraging the AWS IAM Security Token Service (STS) allows temporary credentials, which can be rotated frequently and used as one-time access credentials, fulfilling the policy’s requirement.
AWS does not provide a “single-use password policy option.” The password policy can enforce complexity and expiration, but it does not automatically enforce single-use passwords. Therefore, this option doesn’t directly meet the requirement.
I suspect that the answer is:
Configure multi-factor authentication for privileged 1AM users