IAM Policy for MFA-Authenticated S3 Bucket Listing

Secure Access: Custom IAM Policy for MFA-Authenticated S3 Bucket Listing

Prev Question Next Question

Question

You are designing a custom IAM policy that would allow users to list buckets in S3 only if they are MFA authenticated.

Which of the following would best match this requirement?

Answers

A. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*", "Condition": { "Bool": {"aws:MultiFactorAuthPresent": true} } } }

B. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*", "Condition": { "Bool": {"aws:MultiFactorAuthPresent":false} } } }

C. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*", "Condition": { "aws:MultiFactorAuthPresent":false } } }

D. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*", "Condition": { "aws:MultiFactorAuthPresent":true } } }

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A.

Option A is CORRECT because the condition clause ensures users can only access resources if they are MFA authenticated.

The bool attribute in the condition element will return a value "true" which will ensure that access is allowed to list S3 resources.

Option B is incorrect because the aws:MultiFactorAuthPresent clause is marked as false, whereas it should be marked as true.

True indicates the user has an activated MFA, and it allows list access.

Options C and D are incorrect because the “bool” clause is missing in the evaluation for the condition clause.

Boolean conditions let you construct condition elements that restrict access based on comparing a key to "true" or "false."

For more information on an example of such a policy, please visit the following URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_mfa-dates.html

The correct answer for the requirement to allow users to list buckets in S3 only if they are MFA authenticated is option D:

json
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*", "Condition": { "aws:MultiFactorAuthPresent":true } } }

Explanation: The IAM policy is designed to allow users to perform the s3:ListAllMyBuckets and s3:GetBucketLocation actions only if they are authenticated with MFA.

This is achieved by using a condition called aws:MultiFactorAuthPresent. This condition is a Boolean value that indicates whether the request was made with MFA authentication.

The aws:MultiFactorAuthPresent condition is set to true in the policy, which means that the policy will only allow the actions if MFA authentication is present.

Option A is incorrect because it correctly sets the condition to aws:MultiFactorAuthPresent, but sets it to true, which allows the actions to be performed only when MFA authentication is present.

Option B is incorrect because it sets the condition to aws:MultiFactorAuthPresent but sets it to false, which means that the policy will allow the actions even if MFA authentication is not present.

Option C is incorrect because it sets the condition to aws:MultiFactorAuthPresent, but does not set a value for the condition. The policy will not be able to evaluate the condition and will deny all requests for the specified actions.

Therefore, the correct answer is option D.

Prev Question Next Question