AWS Certified Solutions Architect – Associate (SAA-C03) — Question 704

A company has established a new AWS account. The account is newly provisioned and no changes have been made to the default settings. The company is concerned about the security of the AWS account root user.

What should be done to secure the root user?

Answer options

• A. Create IAM users for daily administrative tasks. Disable the root user.
• B. Create IAM users for daily administrative tasks. Enable multi-factor authentication on the root user.
• C. Generate an access key for the root user. Use the access key for daily administration tasks instead of the AWS Management Console.
• D. Provide the root user credentials to the most senior solutions architect. Have the solutions architect use the root user for daily administration tasks.

Correct answer: B

Explanation

To secure a new AWS account, AWS best practices dictate enabling multi-factor authentication (MFA) on the root user and using individual IAM users for daily administrative duties. You cannot disable the root user, making option A incorrect. Generating access keys for the root user or using it for daily tasks (options C and D) poses severe security risks and violates the principle of least privilege.