You are designing a custom IAM policy that would allow users to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

Answer options:

A. {
 "Version": "2012-10-17",
 "Statement": {
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
 "Bool": {"aws:MultiFactorAuthPresent": true}
}
 }
 }
B. {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"Bool": {"aws:MultiFactorAuthPresent":false}
}
}
}
C. {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"aws:MultiFactorAuthPresent":false
}
}
}
D.{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"aws:MultiFactorAuthPresent":true
}
}
}

Answer: A
Option A is CORRECT because the condition clause ensures users can only access resources if they are MFA authenticated. The bool attribute in the condition element will return a value "true" which will ensure that access is allowed to list S3 resources.
Option B is incorrect because the aws:MultiFactorAuthPresent clause is marked as false, whereas it should be marked as true. True indicates the user has an activated MFA, and it allows list access.
Options C and D are incorrect because the “bool” clause is missing in the evaluation for the condition clause. Boolean conditions let you construct condition elements that restrict access based on comparing a key to "true" or "false."
For more information on an example of such a policy, please visit the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_mfa-dates.html