AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
Developers in your AWS account use IAM users and the AWS CLI. Management wants to allow them to run any read-only IAM operations at any time but block all IAM create, update, or delete API calls unless the request is authenticated with multi-factor authentication (MFA). Which approach meets this requirement while following AWS best practices?
Enable the AWS Config rule iam-user-mfa-enabled and set it to automatically remediate non-compliant users.
Create an account password policy that requires MFA and enforce it for the developer group.
Attach a policy to the developer group that contains an explicit Deny for IAM write actions and uses the condition BoolIfExists: {"aws:MultiFactorAuthPresent":"false"}.
Force developers to assume an IAM role and add a condition that compares aws:TokenIssueTime to deny requests older than 5 minutes.
An IAM policy can enforce MFA at the API level by adding an explicit Deny that is evaluated before any Allow statements. Using the BoolIfExists condition operator with the aws:MultiFactorAuthPresent key set to false denies requests that are not MFA-authenticated. This applies to both temporary credentials that are missing MFA and long-term credentials (like CLI access keys) where the MFA context key is not present. Applying this policy to the developer group blocks only the specified write actions when MFA is missing, while still permitting read-only calls. Account password policies, AWS Config rules, or AssumeRole time-based conditions cannot directly protect individual IAM API calls from non-MFA sessions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the `aws:MultiFactorAuthPresent` condition key?
Open an interactive chat with Bash
What does the `BoolIfExists` operator do in IAM policies?
Open an interactive chat with Bash
Why is it best practice to use explicit Deny in IAM policies?
Open an interactive chat with Bash
What is the 'BoolIfExists' condition operator in AWS IAM policies?
Open an interactive chat with Bash
How does MFA improve security in AWS IAM access control?
Open an interactive chat with Bash
Why are explicit Deny statements preferred in IAM policies for MFA enforcement?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .