You want to enforce MFA for all IAM users in your AWS account to improve security. Which approach is the best practice to achieve this?

hard📝 Best Practice Q15 of 15

AWS - Identity and Access Management

AUse a single MFA device shared by all users to simplify management

BCreate an IAM policy that denies all actions unless MFA is used, then attach it to all users

CRequire users to change passwords every 30 days instead of using MFA

DManually enable MFA on each user without any policy enforcement

Step-by-Step Solution

Solution:

Step 1: Understand MFA enforcement methods
To enforce MFA, you need a policy that denies actions unless MFA is present. This ensures users cannot bypass MFA even if enabled.
Step 2: Evaluate options for best practice
Create an IAM policy that denies all actions unless MFA is used, then attach it to all users uses an IAM policy to enforce MFA for all users, which is scalable and secure. Other options either lack enforcement or reduce security.
Final Answer:
Create an IAM policy that denies all actions unless MFA is used, then attach it to all users -> Option B
Quick Check:
Enforce MFA with deny policy = Create an IAM policy that denies all actions unless MFA is used, then attach it to all users [OK]

Quick Trick: Use deny policy requiring MFA for all users [OK]

Common Mistakes:

Master "Identity and Access Management" in AWS

9 interactive learning modes - each teaches the same concept differently

Want More Practice?

15+ quiz questions · All difficulty levels · Free

More AWS Quizzes