What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account?
(Choose two.)
Use the AWS account root user access keys instead of the AWS Management Console
Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
Enable multi-factor authentication for the AWS account root user
Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
Do not create access keys for the AWS account root user; instead, create AWS IAM users
Explanations:
Using the AWS account root user access keys is not recommended for security reasons. The root user should only be used for account setup and critical management, not for everyday use.
Enabling multi-factor authentication (MFA) for IAM users with the AdministratorAccess policy is good practice, but it doesn’t directly protect the root user account, which is the focus of the question.
Enabling multi-factor authentication (MFA) for the AWS account root user adds a layer of protection and significantly reduces the risk of unauthorized access.
AWS KMS is for encrypting data, not for encrypting access keys. Access keys should not be stored in an encrypted form; instead, they should be managed securely or avoided entirely for the root user.
Avoiding the creation of access keys for the root user and instead using IAM users for day-to-day activities is a best practice to minimize the security risks associated with the root user.