Storing Sensitive Documents in an S3 Bucket with Multi-Factor Authentication

Ensure Security: Multi-Factor Authentication for Access to Sensitive Documents in S3 Bucket

Prev Question Next Question

Question

Your company is planning to store documents in an S3 bucket.

The documents are sensitive, and employees should use Multi-Factor authentication when trying to access documents.

Which of the following must be done to fulfill this requirement?

Answers

A. Ensure that Encryption is enabled the bucket AWS server-side encryption.

B. Ensure that Encryption is enabled the bucket using KMS keys.

C. Ensure that the a bucket policy is in place with a condition of "aws:MultiFactorAuthPresent":"false" with a Deny policy.

D. Ensure that the a bucket policy is in place with a condition of "aws:MultiFactorAuthPresent":"true" with a Deny policy.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

The AWS Documentation gives an example of adding a bucket policy.

It ensures that only if users are MFA authenticated, they will have access to the bucket.

Options A and B are incorrect since the question talks about MFA and not encryption.

Option D is incorrect since aws:MultiFactorAuthPresent should be checked against the false value for a Deny policy.

For more information on this use case scenario, please refer to the below URL-

https://aws.amazon.com/premiumsupport/knowledge-center/enforce-mfa-other-account-access-bucket/

"Version": "2012-10-17",
"Id": “Policy201612130001aa",
"Statement": [
{
"Sid": “Stmt201612130001ab",
"Effect"

"AWS": “arn:aws:iam: :111122223333:root"

"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject”

1,
"Resource": "arn:aws:s3:::example.accounta.bucket/*",
"Condition": {
"BoollfExists": {
“aws :MultiFactorAuthPresent": “false”
3
3

1

The correct answer is D. Ensure that a bucket policy is in place with a condition of "aws:MultiFactorAuthPresent":"true" with a Deny policy.

Explanation: To fulfill the requirement of allowing access to sensitive documents in an S3 bucket only with Multi-Factor authentication, a bucket policy should be created with a condition that checks for the presence of Multi-Factor authentication.

A bucket policy is a JSON-based document that enables access control to S3 buckets and its contents. It provides fine-grained control over the access to S3 objects, such as read/write permissions, IP restrictions, and other parameters. In this case, the bucket policy should be set to deny access to any user who does not have Multi-Factor authentication enabled.

Option A is incorrect because enabling server-side encryption does not ensure that Multi-Factor authentication is required to access the documents in the bucket. Server-side encryption only protects the data at rest.

Option B is incorrect because enabling encryption with KMS keys only provides an additional layer of security to protect the data. It does not ensure that Multi-Factor authentication is required to access the documents in the bucket.

Option C is incorrect because the condition "aws:MultiFactorAuthPresent":"false" with a Deny policy would deny access to all users who have Multi-Factor authentication enabled. It is the opposite of the requirement.

Therefore, option D is the correct answer as it ensures that the bucket policy checks for the presence of Multi-Factor authentication before granting access to the documents in the bucket.

Prev Question Next Question