Q44 — AWS SCS-C02 Ch.1
Question 44 of 100 | ← Chapter 1
A security engineer is designing an IAM policy to protect AWS API operations. The policy must enforce multi-factor authentication (MFA) for IAM users to access certain services in the AWS production account. Each session must remain valid for only 2 hours. The current version of the IAM policy is as follows: Which combination of conditions must the security engineer add to the IAM policy to meet these requirements? (Choose two.)
- A. "Bool": {"aws:MultiFactorAuthPresent": "true"} ✓
- B. "Bool": {"aws:MultiFactorAuthPresent": "false"}
- C. "NumericLessThan": {"aws:MultiFactorAuthAge": "7200"} ✓
- D. "NumericGreaterThan": {"aws:MultiFactorAuthAge": "7200"}
- E. "NumericLessThan": {"MaxSessionDuration": "7200"}
Correct Answer: A. "Bool": {"aws:MultiFactorAuthPresent": "true"}, C. "NumericLessThan": {"aws:MultiFactorAuthAge": "7200"}
Explanation
为了满足题目要求,IAM策略需要强制多因素认证(MFA)并且每个会话有效期仅为2小时。选项A中的条件"awsMultiFactorAuthPresent": true可以确保用户进行了多因素认证。选项C中的条件"NumericLessThan": {"awst:MultiFactorAuthAge": 7200}可以确保会话有效期不超过2小时(7200秒)。其他选项要么不符合多因素认证的要求,要么不符合会话有效期的要求。