Apply least-privilege access when authoring policies is correct because it requires granting only the specific actions and resources that a user or role needs to perform their tasks and this reduces the blast radius of compromised credentials or misconfiguration.

Applying least privilege means scoping permissions to exact actions and ARNs and adding conditions when possible. You implement this by narrowing allowed actions, restricting resource ARNs, using condition keys, and testing policies with tools such as the IAM policy simulator or IAM Access Analyzer before deployment.

Use IAM roles to delegate permissions is incorrect because roles are a mechanism for granting or assuming permissions and do not by themselves define which actions or resources should be allowed. You still must apply least privilege when you write the role policies.

Enforce MFA for administrator accounts is incorrect because multifactor authentication strengthens how identities authenticate but it does not limit the scope of permissions granted in IAM policies.

AWS Organizations service control policies is incorrect because service control policies set organization level guardrails and can deny broad classes of actions across accounts but they do not replace the practice of granting only the precise permissions to each identity and they operate at a different control layer.

Full AWS Practitioner Certification Question