nerdexam
Amazon

DVA-C02 · Question #297

A developer must use multi-factor authentication (MFA) to access data in an Amazon S3 bucket that is in another AWS account. Which AWS Security Token Service (AWS STS) API operation should the develop

The correct answer is D. AssumeRole. AssumeRole is the correct choice because it is the only STS operation that supports MFA as part of the request - you pass the SerialNumber (MFA device ARN) and TokenCode (current OTP) parameters to temporarily assume a role in another AWS account, which is exactly the cross-accou

Submitted by alyssa_d· Mar 5, 2026Development with AWS Services

Question

A developer must use multi-factor authentication (MFA) to access data in an Amazon S3 bucket that is in another AWS account. Which AWS Security Token Service (AWS STS) API operation should the developer use with the MFA information to meet this requirement?

Options

  • AAssumeRoleWithWebIdentity
  • BGetFederationToken
  • CAssumeRoleWithSAML
  • DAssumeRole

How the community answered

(25 responses)
  • A
    8% (2)
  • B
    16% (4)
  • C
    4% (1)
  • D
    72% (18)

Explanation

AssumeRole is the correct choice because it is the only STS operation that supports MFA as part of the request - you pass the SerialNumber (MFA device ARN) and TokenCode (current OTP) parameters to temporarily assume a role in another AWS account, which is exactly the cross-account + MFA pattern described.

AssumeRoleWithWebIdentity (A) is for federating identities from external web identity providers like Google or Amazon Cognito - it has no MFA parameter support. GetFederationToken (B) generates temporary credentials for federated users but does not support cross-account access or MFA enforcement at the API level. AssumeRoleWithSAML (C) is for SAML 2.0 enterprise federation (e.g., Active Directory), not MFA-protected cross-account access.

Memory tip: Think "Assume you need MFA to Role-play in someone else's account" - whenever you see cross-account + MFA together, AssumeRole is the answer. The WithWebIdentity and WithSAML variants are for external identity providers, and GetFederationToken doesn't do cross-account.

Topics

#AWS STS#IAM Roles#MFA#Cross-Account Access

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice