Why should you enable Multi-factor Authentication (MFA) on the AWS root account?
Think about how MFA helps protect accounts beyond just a password.
Enabling MFA adds a second verification step, making it harder for unauthorized users to access the root account even if they know the password.
Choose the AWS CLI command that correctly associates a virtual MFA device with an IAM user named 'alice'.
Look for the command that enables MFA with authentication codes.
The enable-mfa-device command links the MFA device to the user by providing two consecutive authentication codes from the device.
An IAM policy requires MFA for accessing S3 buckets. What is the result if the user tries to access the bucket without MFA?
Consider how IAM policies enforce conditions.
If the policy requires MFA and the user is not authenticated with MFA, AWS denies access to the resource.
If an IAM user loses their MFA device, what is the recommended AWS process to restore access?
Think about who controls MFA device management for IAM users.
Only an administrator can remove or deactivate the lost MFA device and assign a new one to maintain security.
You manage multiple AWS accounts linked via AWS Organizations. You want to enforce MFA for all IAM users across all accounts without manually configuring each account. Which AWS feature or approach achieves this most effectively?
Consider centralized policy enforcement across multiple accounts.
AWS Organizations SCPs allow you to centrally enforce policies like requiring MFA across all member accounts, preventing users from bypassing MFA.