DVA-C02 · Question #297
A developer must use multi-factor authentication (MFA) to access data in an Amazon S3 bucket that is in another AWS account. Which AWS Security Token Service (AWS STS) API operation should the develop
The correct answer is D. AssumeRole. AssumeRole is the correct choice because it is the only STS operation that supports MFA as part of the request - you pass the SerialNumber (MFA device ARN) and TokenCode (current OTP) parameters to temporarily assume a role in another AWS account, which is exactly the cross-accou
Question
A developer must use multi-factor authentication (MFA) to access data in an Amazon S3 bucket that is in another AWS account. Which AWS Security Token Service (AWS STS) API operation should the developer use with the MFA information to meet this requirement?
Options
- AAssumeRoleWithWebIdentity
- BGetFederationToken
- CAssumeRoleWithSAML
- DAssumeRole
How the community answered
(25 responses)- A8% (2)
- B16% (4)
- C4% (1)
- D72% (18)
Explanation
AssumeRole is the correct choice because it is the only STS operation that supports MFA as part of the request - you pass the SerialNumber (MFA device ARN) and TokenCode (current OTP) parameters to temporarily assume a role in another AWS account, which is exactly the cross-account + MFA pattern described.
AssumeRoleWithWebIdentity (A) is for federating identities from external web identity providers like Google or Amazon Cognito - it has no MFA parameter support. GetFederationToken (B) generates temporary credentials for federated users but does not support cross-account access or MFA enforcement at the API level. AssumeRoleWithSAML (C) is for SAML 2.0 enterprise federation (e.g., Active Directory), not MFA-protected cross-account access.
Memory tip: Think "Assume you need MFA to Role-play in someone else's account" - whenever you see cross-account + MFA together, AssumeRole is the answer. The WithWebIdentity and WithSAML variants are for external identity providers, and GetFederationToken doesn't do cross-account.
Topics
Community Discussion
No community discussion yet for this question.