AWS Certified Solutions Architect - Associate

Explanation

Correct Answers: A and B

Why A and B are correct:

1. A. Ensure the root user uses a strong password - This is a fundamental security best practice for any user account, especially the root user which has unrestricted access to all AWS services and resources.

2. B. Enable multi-factor authentication to the root user - MFA adds an extra layer of security beyond just a password. Even if the password is compromised, an attacker would still need access to the MFA device to gain entry.

Why the other options are incorrect:

C. Store root user access keys in an encrypted Amazon S3 bucket - This is NOT recommended. Root user access keys should generally not be created or used. If access keys are needed, they should be created for IAM users with appropriate permissions, not for the root user. Storing access keys anywhere, even encrypted, creates unnecessary security risks.

D. Add the root user to a group containing administrative permissions - This is not possible. The root user cannot be added to IAM groups. The root user exists outside of IAM and has inherent, unrestricted permissions that cannot be modified.

E. Apply the required permissions to the root user with an inline policy document - This is not possible. The root user's permissions cannot be modified through IAM policies. The root user has full administrative access by default and cannot have permissions restricted or modified through IAM.

AWS Security Best Practices for Root User:

1. Use a strong, unique password
2. Enable MFA
3. Do NOT create access keys for the root user
4. Use the root user only for specific account management tasks (like changing account settings, enabling IAM, etc.)
5. Create IAM users for daily operations with appropriate permissions
6. Regularly monitor root user activity through AWS CloudTrail

These practices ensure that the most privileged account in your AWS environment is properly secured against unauthorized access.