We recommend that you configure an administrative user in AWS IAM Identity Center (successor to AWS Single Sign-On) to perform daily tasks and access AWS resources. However, you can perform the tasks listed below only when you sign in as the root user of an account. Show
Tasks
Follow these recommendations to help protect the security of the member accounts in in your organization. These recommendations assume that you also adhere to the best practice of using the root user only for those tasks that truly require it. Topics
Use a group email address for all member account root users
Use a complex password for member account root user
Enable MFA for your root user credentialsFor instructions on how to enable multi-factor authentication (MFA), see Using multi-factor authentication (MFA) in AWS.
Add the management account's phone number to the member account contact information
Review and keep track of who has access
Document the processes for using the root user credentials
Use an SCP to restrict what the root user in your member accounts can doWe recommend that you create a service control policy (SCP) in the organization and attach it to the organization's root so that it applies to all member accounts. The following example SCP prevents the root user in any member account from being able to make any AWS service API calls.
In the majority of circumstances, any administrative tasks can be performed by either an AWS Identity and Access Management (IAM) role in the member account that has relevant administrator permissions. Any such roles should have suitable controls applied that limit, log, and monitor activity. Apply controls to monitor access to the root user credentials
What is the best practice for the AWS root user account?Never share your AWS account root user password or access keys with anyone. Use a strong password to help protect access to the AWS Management Console. For information about managing your AWS account root user password, see Changing the password for the root user.
Which of the following are recommended security best practices for the AWS account root user select two?Here are some best practices to consider when securing your account and its resources: Safeguard your passwords and access keys. Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM)
What is an IAM best practice for AWS account root user access keys?As a best practice, do not use root user access keys. Instead, we strongly recommend that in addition to using a password or biometric lock on your mobile device, you create an IAM user to manage AWS resources. If you lose your mobile device, you can remove the IAM user's access.
Which of the following should be done by the AWS account root user?Which of the following should be done by the AWS account root user. Changing the AWS support plan can only be done by the AWS account root user. The other tasks are done with IAM.
|