Which of the following is an AWS best practice for managing an AWS account root user?
Show
Five Best practices for AWS root accountsKeeping your Amazon account secure is a major concern for every AWS user and admin. Here are the top five AWS root user account best practices every organization should follow:
Let’s break these down one by one. AWS root account securityCredentials for the AWS root account should be shared only with a select group of individuals on the IT team. Don’t share the AWS root account with the CEO, or with an auditor or compliance officer. Only as small number of individuals should know where the root credentials are stored. Create rules about how to access that credential, and what steps to follow when the root account password is updated. If you must assign elevated rights to a user temporarily, create a time-boxed role for that individual. But never share AWS root account credentials. AWS root access keysAnother AWS root account best practice is to delete any programmatic access keys associated with the root user. If a PEM file or DER certificate exists for the root account, that doubles the root account’s attack surface. Delete those keys immediately. In rare instances, an administrator might perform an administrative function as a root user. There are no reasons why a piece of software should programmatically log in as root with user’s access keys. Enable root MFABy default, AWS accounts are only protected by a username and password. The best practice here is to enable MFA. With a password, you prove who you are with a piece of information that only you know. MFA ups the ante by requiring not only what you know but also what you have. In addition to a password the user must also provide a token or code, generated on a device that is not the device on which the user is attempting to log in as the AWS root. Many Gmail or Facebook users are familiar with using SMS messages with MFA. AWS is much stricter — an SMS message to a mobile device is not a valid MFA option. For AWS, the only valid MFA options are:
Securing access to the root AWS account is a crucial best practice. If your organization uses any of the devices listed above, include them in an MFA routine. MFA is a commonly accepted best practice for root AWS account security. Rotate AWS passwordsThere is no default password rotation for the AWS root account. Once the AWS root password is set, there are no rules that require regular password updates. However, admins can easily create a setup to regularly rotate passwords by updating the password policy attached to the account. A general AWS root user best practice is to set the password rotation period to at least 90 days. For even more security, set it to 60 days. Create administrative accountsFor day-to-day administration of the AWS console, create an administrative group and add trusted users who need elevated rights. The root AWS account can never be deleted, and the rights associated with the root account cannot be revoked. Admins can, however, remove a user from the administrative group or suspend a user’s account altogether. Furthermore, with administrative access provisioned on a per-account basis, admins can monitor the actions of a specific user to identify any peculiar activity that warrant investigation. If the root account is shared by multiple users, there is no way to identify which user performed which administrative tasks. More AWS security best practicesA core tenet of server-side security is to respect the principle of least privilege. An AWS root account best practice is to always respect the principle of least privilege. How to protect the super user accountAn admin should assign to users only the minimal rights to perform their required tasks. Furthermore, don’t add users to the administrative group every time they perform a one-off administrative function — use AWS roles instead. Also, regularly monitor exactly who is included in your account’s administrative group. If a user moves on to a non-administrative role, do not allow that user to perform management functions in AWS. Follow these AWS root account best practices, and you’ll ensure that nefarious cyber-criminals never gain access to your cloud-computing credentials. What does AWS recommend as the best practice for the AWS account root user?Enable MFA on the AWS account root user
We recommend that you follow the security best practice to enable multi-factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account.
Which of the following is an AWS best practice for managing an AWS account?Safeguard your passwords and access keys. Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM) Limit AWS account root user access to your resources. Audit IAM users and their policies frequently.
What is an IAM best practices for AWS account root user access keys?AWS Identity and Access Management Best Practices. Require multi-factor authentication (MFA) ... . Rotate access keys regularly for use cases that require long-term credentials. ... . Safeguard your root user credentials and don't use them for everyday tasks. ... . Set permissions guardrails across multiple accounts.. What is the best practice of using the root user?Root of it all. |