Your organization’s security policy requires that all privileged users either use frequently rotated
passwords or one-time access credentials in addition to username/password.
Which two of the following options would allow an organization to enforce this policy for AWS
users?
Choose 2 answers
A.
Configure multi-factor authentication for privileged 1AM users
B.
Create 1AM users for privileged accounts
C.
Implement identity federation between your organization’s Identity provider leveraging the 1AM
Security Token Service
D.
Enable the 1AM single-use password policy option for privileged users
A. for rotating password.
C. for one time credentials.
A and B(can set password policy)
AB. looks like D is also an answer but there was no such policy single use policy.
A and C
B doesn’t address single use or frequently rotated passwords.
Option D doesn’t exist
Answer is DB to pass certification according Pass4Sure
Sorry, answer is AB
A and C
“all privileged users either use frequently rotated
passwords or one-time access credentials in addition to username/password.” –> one-time access + user/name pass = Multi Factor Auth
http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
The AWS STS API actions return temporary security credentials that consist of an access key and a session token. The access key consists of an access key ID and a secret key. Users (or an application that the user runs) can use these credentials to access your resources. When the credentials are created, they are associated with an IAM access control policy that limits what the user can do when using the credentials.
I don’t think B is correct b/c it doesn’t say anything about restricting privileged users. It also doesn’t address either rotation nor temp credentials, which C does.
Read above that you “could” use password rotation if you created user policy for Answer B, but I would argue that it doesn’t say that. For sure w/ C you get temp creds, you “could” also set password rotation on the client side (AD).
You must do at least the temp cred.s, so there’s nothing implicit in the answer.
I looked at last two version in aiotestking and in the last version AC was dominate and the previous version AB is dominate, but the explanation was lacking. I do think AC is the correct answer.
Ans: A & C **
AB
A:one-time access credentials in addition to username/password
B:privileged users use frequently rotated passwords
Answer : A and B
Configure multi-factor authentication for privileged IAM users
Create IAM users for privileged accounts (can set password policy)