Your organization’s security policy requires that all privileged users either use frequently rotated passwords or
one-time access credentials in addition to username/password.
Which two of the following options would allow an organization to enforce this policy for AWS users?
Choose 2 answers
A.
Configure multi-factor authentication for privileged 1AM users
B.
Create 1AM users for privileged accounts
C.
Implement identity federation between your organization’s Identity provider leveraging the 1AM Security
Token Service
D.
Enable the 1AM single-use password policy option for privileged users
I would go for A and B
See also: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Enable MFA for privileged users
For extra security, enable multifactor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) and users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).
Thx, F
I don’t agree with B – there is no such thing as “privileged account”, account can have privileged users but by itself it’s just an account.
Agree with Frank – A & B
Nice find Frank! A and B.
Option A already mentions there is a privileged user why choose B?
Configure multi-factor authentication for “privileged IAM users”
Agree with A but not sure about B vs. C. Simply creating an IAM user doesn’t solve the issue. IAM users need a correctly configured password policy. Likewise if you choose to federate to an external / non-AWS entity such as AD, you can hope that similar policies would be enforced there but there is no guarantee that they will be. So, not sure at all between B and C.
I like A and D because the question is asking about “use frequently rotated passwords or one-time access credentials ”
1- You can apply a password policy to your AWS account to require all your IAM users to rotate their passwords for frequently rotated password ( Answer is D )
2-Use MFA for one time password ( Answer is A )
I think A & D will be right but most of the site have A & B.
A & D
B – Even if you create an IAM user, it does not talk about frequently rotated passwords
C – Even if you federate, you do not know anything about password rotation policy
A & C
B – wrong, no rotated password
D – AWS no single-use policy option, you have to write the policy yourself, so the answer is wrong.
A – one time access creds
C – password rotation by group policy (windows AD) or other way.
The only problem with D is such option doesn’t exist in IAM Password Policy.
Correct answers are A and B.
The correct answer is:
C) Implement identity federation between your organization’s Identity provider leveraging the 1AM Security Token Service
D) Enable the 1AM single-use password policy option for privileged users
ab
For me, A – D
A: one time access
D: rotate password life time
ab is the right ans
The trick is —OR— : “that all privileged users either use frequently rotated passwords OR one-time access credentials in addition to username/password.”
MFA and accounts for privileged users (A and B) are correct.
The “single-use” policy not exists. You can create a policy password to expire password from 1 to 1065 days…
AB are correct.
AB
AC
A for obvious reason
B Users are already present so wrong
C STS is kind of 1 time access, because next time it will again authenticate
D No such service in IAM so wrong
A & B
Question is not clear:
you need both at the same time? Then A and B.
A and B – First you have to define/create privileged users, and also have MFA policy for them
A.
Configure multi-factor authentication for privileged IAM users
B.
Create IAM users for privileged accounts