Which IAM best practices improve the security of an AWS account? (Choose TWO.)
A question to choose two IAM security best practices.
Grant PowerUserAccess to all developers by default so that work is not blocked by insufficient permissions.
PowerUserAccess is a very broad managed policy that allows almost every action except IAM administration.
Granting broad permissions by default for the sake of convenience violates the principle of least privilege and increases the blast radius of mistakes or credential leaks, so this is incorrect.
Enable MFA for privileged users and the root user.
Correct. MFA (multi-factor authentication) is a mechanism that requires an additional verification factor, such as a one-time code from an authenticator app, in addition to the password when signing in. Enabling MFA for privileged users and the root user helps prevent unauthorized sign-in even if a password is leaked. The more critical the account, the more MFA is recommended.
Grant users only the minimum permissions required for their work.
Correct. Following the principle of least privilege and allowing only the actions that are needed minimizes the impact of a leak or mistake. This is fundamental to IAM design.
Issue long-term access keys to applications instead of using IAM roles.
Long-term access keys must be rotated and revoked manually and can be abused for a long time if leaked.
The best practice is to use temporary credentials through IAM roles for applications on EC2, so routine use of long-term keys is not recommended and this is incorrect.
If MFA is set on the root user, MFA can be omitted for IAM users.
Setting MFA on the root user is itself a correct best practice, but a compromised privileged IAM user can also cause significant damage, so such users cannot be excluded from MFA.
The recommendation is to enable MFA for privileged users in addition to the root user, so stating that it can be omitted is wrong and this is incorrect.
IAM best practices: MFA for privileged/root users, grant least privilege, avoid daily root use, do not hardcode access keys, and use roles and temporary credentials.