Exam AWS Certified Cloud Practitioner topic 1 question 147 discussion

b is correct

The answer to this Question is D. It is asking "which is not a recommended practice". A: Securely lock away you root user access key. Recommended B: Enable MFA on root user. Recommended C: Create access key for root User. Recommended D. Not Recommended. (You are supposed to rotate root users password if you are keeping it even though best practice says delete it). Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

The answer to this question is Option B - Enable multi factor authentication for the root user https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html Here are few ways to Secure your root user credentials to prevent unauthorized use Use a strong root user password to help protect access Secure your root user sign-in with multi-factor authentication (MFA) Don't create access keys for the root user Use multi-person approval for root user sign-in wherever possible Use a group email address for root user credentials

The answer should not be C. create access key to root user, because root user can access to all services and all resources, it's mean if root account got access key it can access to CLI and do everything in AWS easier. AWS recommended that we should use root account only permission is needed and should use management console to manage AWS services and resources. ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html

b is correct

B. Enable multi-factor authentication (MFA) for the root user.

According to AWS documentation, "Enable AWS multi-factor authentication (MFA) on your AWS account root user." is recommendation. C canot be the answer according to AWS documentation "You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, we strongly recommend that you do not create an AWS account root user access key. The access key for your AWS account root user gives full access to all your resources for all AWS services, including your billing information. You can't reduce the permissions associated with your AWS account root user access key." Reference: https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html

Enabling multi-factor authentication (MFA) for the root user is considered an AWS best practice for managing an AWS account. MFA adds an extra layer of security to the account by requiring an additional authentication factor, such as a physical token or a virtual MFA device, in addition to the password. This helps protect the root user from unauthorized access and reduces the risk of compromise.

Safeguard your root user credentials by configuring MFA for your root user credentials. We don't recommend generating access keys for your root user, because they allow full access to all your resources. source: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

B. Enable multi-factor authentication (MFA) for the root user. Enabling multi-factor authentication (MFA) for the root user is an AWS best practice for managing an AWS account. MFA adds an additional layer of security to an account by requiring a user to provide a second form of authentication in addition to their password, such as a code generated by an authenticator app or a hardware token. This makes it much more difficult for unauthorized users to access the account, even if they have obtained the root user's password.

The AWS best practice for managing an AWS account root user is to enable multi-factor authentication (MFA) for the root user. This provides an additional layer of security to protect the root user account from unauthorized access. Option A is not a best practice as keeping the root user password with the security team may increase the risk of the password being compromised. Option C is not recommended as creating access keys for the root user can lead to the key being accidentally exposed and used to gain unauthorized access to the account. Option D is not recommended as using consistent passwords for compliance purposes can increase the risk of the password being compromised. It is recommended to use strong, unique passwords and rotate them periodically

B is the answer

B is mostly correct, but it is actually better to not use the root account at all, only for emergencies

The AWS account root user is the most privileged user in an AWS account, and has complete access to all AWS resources and services. As a best practice, it is recommended to enable multi-factor authentication (MFA) for the root user to add an extra layer of security. With MFA, users will be required to provide not just a password but also a unique authentication code generated by a device such as a hardware token or a smartphone app. This helps prevent unauthorized access to the AWS account, even if the password is compromised. It is also recommended to avoid using the root user for everyday tasks and instead create IAM users with the necessary permissions. Access keys should not be used for the root user, as they provide long-term access to the AWS account and should be used with caution. Keeping the password consistent for compliance purposes is not necessarily a security best practice, and can make it easier for attackers to gain unauthorized access if the password is known or compromised.

b is correct

When you create an AWS account you establish a root user name and password to sign in to the AWS Management Console. Safeguard your root user credentials the same way you would protect other sensitive personal information. You can do this by configuring MFA for your root user credentials. We don't recommend generating access keys for your root user, because they allow full access to all your resources for all AWS services, including your billing information. Don’t use your root user for everyday tasks. Use the root user to complete the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the AWS Account Management Reference Guide.

AWS recommends enabling multi-factor authentication (MFA) for the root user of an AWS account to provide an additional layer of security. MFA requires the use of a second form of authentication, such as a one-time code generated by an authentication app or a hardware token, in addition to a password. This makes it much harder for an attacker to gain access to the root user account, even if they have obtained the password.