Question

Your company is planning to store documents in an S3 bucket. The documents are sensitive, and employees should use Multi-Factor authentication when trying to access documents.

Which of the following must be done to fulfill this requirement?

A. Ensure that Encryption is enabled the bucket AWS server-side encryption.

B. Ensure that Encryption is enabled the bucket using KMS keys.

C. Ensure that the a bucket policy is in place with a condition of "aws:MultiFactorAuthPresent":"false" with a Deny policy.

D. Ensure that the a bucket policy is in place with a condition of "aws:MultiFactorAuthPresent":"true" with a Deny policy.

Answer 1

A.  B.  C.  D. 

Answer - C.

The AWS Documentation gives an example of adding a bucket policy.

It ensures that only if users are MFA authenticated, they will have access to the bucket.

Options A and B are incorrect since the question talks about MFA and not encryption.

Option D is incorrect since aws:MultiFactorAuthPresent should be checked against the false value for a Deny policy.

For more information on this use case scenario, please refer to the below URL-

https://aws.amazon.com/premiumsupport/knowledge-center/enforce-mfa-other-account-access-bucket/

The correct answer is D. Ensure that a bucket policy is in place with a condition of "aws:MultiFactorAuthPresent":"true" with a Deny policy.

Explanation: To fulfill the requirement of allowing access to sensitive documents in an S3 bucket only with Multi-Factor authentication, a bucket policy should be created with a condition that checks for the presence of Multi-Factor authentication.

A bucket policy is a JSON-based document that enables access control to S3 buckets and its contents. It provides fine-grained control over the access to S3 objects, such as read/write permissions, IP restrictions, and other parameters. In this case, the bucket policy should be set to deny access to any user who does not have Multi-Factor authentication enabled.

Option A is incorrect because enabling server-side encryption does not ensure that Multi-Factor authentication is required to access the documents in the bucket. Server-side encryption only protects the data at rest.

Option B is incorrect because enabling encryption with KMS keys only provides an additional layer of security to protect the data. It does not ensure that Multi-Factor authentication is required to access the documents in the bucket.

Option C is incorrect because the condition "aws:MultiFactorAuthPresent":"false" with a Deny policy would deny access to all users who have Multi-Factor authentication enabled. It is the opposite of the requirement.

Therefore, option D is the correct answer as it ensures that the bucket policy checks for the presence of Multi-Factor authentication before granting access to the documents in the bucket.