AWS Certified SysOps Administrator - Associate: Understanding Bucket Policies | Exam Question Answer

Denying Access Based on MFA Age | Bucket Policy Explanation

Prev Question Next Question

Question

Your team member has defined the following bucket policy on one of the buckets. { "Version": "2012-10-17", "Id": "Sample123", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket/*", "Condition": { "Null": { "aws:MultiFactorAuthAge": true }} } ] } What does this bucket policy do?

Answers

A. Allows access to the bucket if the IAM user has successfully logged into the console using a password.

B. Allows access to the bucket if the IAM user has successfully logged into the console using Access keys.

C. Denies access to the bucket if the user has used an MFA device for authentication.

D. Denies access to the Bucket if the user is not authenticating via MFA device.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: D.

According to the AWS Documentation, the bucket policy in the screenshot denies bucket access to the user who is not authenticated via MFA.Options A, B and C are incorrect.

For more information on sample bucket policies, please refer to the below URL-

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

When Amazon S3 receives a request with MFA authentication, the aws :MultifactorAuthdge key provides a numeric value indicating how
long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an
MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example
bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not

MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in AWS in the /AM User Guide.

ag
2 "123)
"Statement"

t

-xamplebucket/taxdocuments/*",

i ws :MultiFactorAuthAge": true }}
t

]

This bucket policy denies access to the bucket named "examplebucket" for any user, group, or role (represented by the principal "*") who has not authenticated using multi-factor authentication (MFA) or whose MFA token age is not available. The Effect key is set to "Deny," which means that any attempt to access any S3 action (Action key) on any object in the bucket (Resource key) will be denied if the Condition key is met.

The Condition key is set to test for the presence of the aws:MultiFactorAuthAge key and its value is set to true. This means that if the aws:MultiFactorAuthAge key is null, which occurs when the user has not authenticated using MFA, the statement will evaluate to true and the access to the bucket will be denied. If the aws:MultiFactorAuthAge key has a value, the statement will evaluate to false and the access to the bucket will be allowed.

Option C is the correct answer because the bucket policy denies access to the bucket if the user has used an MFA device for authentication. Therefore, option D, which denies access to the bucket if the user is not authenticating via MFA device, is incorrect. Options A and B are also incorrect because the bucket policy does not mention anything about password or access key authentication.

Prev Question Next Question