Which is the most appropriate best practice for handling the root user of an AWS account?
Choosing the correct way to handle the root user (best practice).
Do not use it for daily work, enable MFA, and store the credentials securely.
Correct. The root user has the most powerful permissions in the account, so you should not use it for daily work; perform necessary tasks with scoped-down IAM users or roles. The best practice is to enable MFA on the root user and store its credentials securely.
Share the root user credentials with all developers.
Because the root user has the highest permissions, sharing its credentials is a serious risk.
You also cannot trace who performed actions, which is the opposite of best practice, so it is incorrect.
Perform all day-to-day operations as the root user.
Day-to-day operations as the root user make the damage from mistakes or leaks enormous.
Daily work should be done with least-privilege IAM users, so it is incorrect.
Leave MFA disabled for the root user.
The root user is the account that most needs protection, so disabling MFA is dangerous.
The best practice is to enable MFA, so it is incorrect.
For the root user, the rules are don't use it daily / enable MFA / store credentials securely / use least-privilege IAM for daily work. Sharing, daily operations, and disabling MFA are all dangerous anti-patterns.
・MFA (multi-factor authentication): in addition to a password, it also requires another factor such as a one-time code to strengthen identity verification.
・SSO (single sign-on): a single authentication lets you sign in to multiple accounts and apps (on AWS, provided by IAM Identity Center).