An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present.
Which IAM design best meets these requirements?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Create an IAM user for administrators with AdministratorAccess and require MFA only at the IAM user login.
AdministratorAccess grants too much privilege and still relies on long-lived access keys. MFA at login does not prevent use of existing sessions without MFA constraints.
Create an IAM role for administration and use a permissions policy that allows only the required read/write actions. Add a condition to deny all allowed actions unless aws:MultiFactorAuthPresent is true.
A role-based approach removes long-lived keys and supports temporary credentials. Using a permissions-policy condition to require MFA presence enforces that the session must have MFA to perform actions, aligning with the “actions only allowed with MFA present” requirement.
Attach policies to an IAM user that allow read/write actions and enable MFA in the account, but do not use condition keys in IAM policies.
Enabling MFA at the account level is not the same as enforcing MFA presence for each API call. Without condition keys, sessions may still be used without MFA constraints.
Use a role with the correct actions but enforce MFA only in the application by prompting users for an OTP before every API call.
Client-side enforcement is not reliable and can be bypassed. Security should be enforced at the IAM policy layer using condition keys to control authorization.
Common exam trap
Logging in proves the user can authenticate. It does not automatically mean the user is allowed to enter privileged or configuration mode. Watch for AAA authorization, privilege level and command authorization details.
Technical deep dive
This kind of question is testing the difference between identity and permission. A user may successfully log in to a router because authentication is working, but still fail to enter configuration mode because authorization is missing, misconfigured or mapped to a lower privilege level.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
Authentication checks who the user is.
The correct answer is: Create an IAM role for administration and use a permissions policy that allows only the required read/write actions. Add a condition to deny all allowed actions unless aws:MultiFactorAuthPresent is true. — The best design is to use an IAM role for administrator access so users receive temporary credentials instead of long-lived access keys. Then restrict actions to only what administrators need via least-privilege permissions. To guarantee MFA is required for the authorization decision, use IAM policy conditions (for example, a deny statement that triggers when aws:MultiFactorAuthPresent is false). This makes the MFA requirement an enforcement point at API authorization time, not a login-only workflow, ensuring access is denied if MFA context is absent. Why others are wrong: Option A keeps long-lived IAM users and AdministratorAccess, which violates least-privilege and key-management expectations. Option C depends on account-level MFA without policy condition enforcement, which does not guarantee MFA presence for every API call. Option D relies on application prompts, which are not authoritative and can be bypassed; the security control must be enforced by IAM during authorization.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.