AWS Certified SysOps Administrator – Associate (legacy) — Question 895

A SysOps Administrator needs to confirm that security best practices are being followed with the AWS account root user.
How should the Administrator ensure that this is done?

Answer options

• A. Change the root user password by using the AWS CLI routinely.
• B. Periodically use the AWS CLI to rotate access keys and secret keys for the root user.
• C. Use AWS Trusted Advisor security checks to review the configuration of the root user.
• D. Periodically distribute the AWS compliance document from AWS Artifact that governs the root user configuration.

Correct answer: C

Explanation

AWS Trusted Advisor provides automated security checks that specifically monitor root account security, such as verifying if Multi-Factor Authentication (MFA) is enabled and ensuring that active access keys are not associated with the root user. Creating or regularly rotating access keys for the root user via the AWS CLI goes against security best practices, which dictate that root access keys should be deleted entirely. AWS Artifact is used to retrieve compliance reports and agreements, not to actively audit or monitor account configurations.