AWS Certified Security – Specialty — Question 75

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

Answer options

• A. Use the AWS account root user access keys instead of the AWS Management Console
• B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
• C. Enable multi-factor authentication for the AWS account root user
• D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
• E. Do not create access keys for the AWS account root user; instead, create AWS IAM users

Correct answer: C, E

Explanation

The correct answers are C and E because enabling multi-factor authentication (MFA) for the root user adds an essential layer of security, making unauthorized access much more difficult. Additionally, not creating access keys for the root user and instead using IAM users minimizes the risk of exposing root credentials. Options A, B, and D do not adequately protect the root user or involve practices that are less secure or unnecessary.