Root User Best Practices

What it is: The recommended security steps for protecting the AWS account root user.

What it’s for:

• Reduce the chance of account takeover.
• Ensure only authorized people can perform sensitive account-level actions.

Must-do recommendations (exam essentials):

• Enable MFA for root user (strongest protection).
• Create a strong password for root user.
• Do NOT create root access keys for daily use. Use roles/users instead.
• Do NOT share root credentials broadly. Keep root usage extremely limited.
• Do NOT email the root password or store it in insecure places.

Why these match your question (Select two):

• ✅ Enable MFA for the AWS account root user account.
• ✅ Create a strong password for the AWS account root user.

Why the other options are bad (quick):

• “Encrypt access keys and save on S3” → still risky; don’t rely on storing long-term keys (especially root keys).
• “Create root access keys and share with owner” → root access keys are dangerous; best practice is to avoid them.
• “Email username/password” → email is not a secure secret store; increases leakage risk.

Hard words:

• *account takeover* /əˈkaʊnt ˈteɪkˌoʊvər/: chiếm tài khoản
• *credentials* /krəˈdɛnʃəlz/: thông tin đăng nhập
• *leakage* /ˈliːkɪdʒ/: rò rỉ
• *secure* /sɪˈkjʊr/: an toàn

See also:

• IAM
• MFA
• Least Privilege