AWS Certified Cloud Practitioner — Question 440

A company is using AWS Identity and Access Management (IAM).

Who can manage the access keys of the AWS account root user?

Answer options

• A. IAM users in the same account that have been granted permission
• B. IAM roles in any account that have been granted permission
• C. IAM users and roles that have been granted permission
• D. The AWS account owner

Correct answer: D

Explanation

The AWS account root user credentials are the most sensitive credentials in an AWS account, and only the AWS account owner logging in as the root user can manage its access keys. No IAM users or roles, even those with administrator permissions, can access, create, or modify the access keys of the root user. This restriction is a fundamental security boundary in AWS to prevent privilege escalation and unauthorized root access.