AWS Certified Security – Specialty SCS-C01 – Question264

A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.
A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.
Which solution should the security engineer recommend?

A.
Add an aws:MultiFactorAuthPresent condition to the role's permissions policy.
B. Add an aws:MultiFactorAuthPresent condition to the role's trust policy.
C. Add an aws:MultiFactorAuthPresent condition to the session policy.
D. Add an aws:MultiFactorAuthPresent condition to the S3 bucket policies.

Correct Answer: D