A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?
Trap 1: Use an SCP to enforce a specific password policy and require MFA…
SCPs cannot enforce a password policy or require MFA; they only deny or allow actions.
Trap 2: Use AWS Config rules to automatically set the password policy and…
AWS Config rules can detect but not remediate automatically unless combined with custom automation.
Trap 3: Use AWS CloudTrail to monitor password policy changes and MFA…
CloudTrail logs but does not enforce or remediate.
- A
Use an SCP to enforce a specific password policy and require MFA across all accounts.
Why wrong: SCPs cannot enforce a password policy or require MFA; they only deny or allow actions.
- B
Use AWS Config rules to automatically set the password policy and enable MFA for all users.
Why wrong: AWS Config rules can detect but not remediate automatically unless combined with custom automation.
- C
Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.
SCPs can block actions that modify the password policy or deactivate MFA, and AWS Config can detect non-compliant users.
- D
Use AWS CloudTrail to monitor password policy changes and MFA status, and trigger an automatic remediation.
Why wrong: CloudTrail logs but does not enforce or remediate.