AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
A company has a single AWS account. Compliance requires that IAM users must enable multi-factor authentication (MFA) before they can invoke any AWS API except enrolling an MFA device or changing their own password. As a CloudOps engineer, which approach enforces this requirement with the least operational overhead and without changing existing group or user policies?
Deploy an AWS Config managed rule that checks each user for MFA; invoke an AWS Systems Manager Automation runbook to detach all policies from non-compliant users.
Attach a service control policy (SCP) at the root that denies every action for principals without MFA enabled, allowing only IAM actions to configure MFA.
Enable the Require MFA for console and programmatic access setting in the account and choose Enforce for all existing users.
Attach a customer managed IAM policy that allows iam:CreateVirtualMFADevice, iam:EnableMFADevice, iam:ResyncMFADevice, and iam:ChangePassword, then adds a Deny statement with NotAction listing those same actions and the condition BoolIfExists "aws:MultiFactorAuthPresent" set to "false"; attach the policy to all IAM users.
Attaching one customer-managed IAM policy with an explicit Deny that is conditioned on missing MFA is the simplest preventive control. The policy contains two statements:
An Allow statement that lists iam:CreateVirtualMFADevice, iam:EnableMFADevice, iam:ResyncMFADevice, and iam:ChangePassword so users can self-enroll and manage their password at any time.
A Deny statement that uses NotAction with the same list, Effect "Deny", and Condition "BoolIfExists: aws:MultiFactorAuthPresent=false". Because Deny overrides any other Allow, all API calls except the listed IAM actions are blocked until the user signs in with MFA. NotAction ensures the Deny does not apply to the operations needed for enrollment, meeting the requirement without additional services or changes to existing policies.
Incorrect answers:
A service control policy (SCP) requires AWS Organizations and is unnecessary for a single standalone account.
AWS Config plus automation is detective, not preventive, and adds operational components.
There is no account-level setting that forces MFA for both console and programmatic access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of IAM policies in enforcing MFA requirements?
Open an interactive chat with Bash
What is the significance of the 'NotAction' element in the IAM policy?
Open an interactive chat with Bash
How does 'BoolIfExists: aws:MultiFactorAuthPresent=false' help enforce MFA compliance?
Open an interactive chat with Bash
What is the role of the 'BoolIfExists: aws:MultiFactorAuthPresent' condition in the IAM policy?
Open an interactive chat with Bash
How does the 'NotAction' element contribute to the policy design?
Open an interactive chat with Bash
Why is a customer-managed IAM policy preferred over an AWS Config rule or SCP in this scenario?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .