Q45 — AWS SCS-C02 Ch.1
Question 45 of 100 | ← Chapter 1
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)
- A. Use the AWS account root user access keys instead of the AWS Management Console.
- B. Enable multi-factor authentication (MFA>>> for the AWS IAM users with the AdministratorAccess managed policy attached to them.
- C. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days.
- D. Do not create access keys for the AWS account root user; instead, create AWS IAM users. ✓
- E. Enable multi-factor authentication for the AWS account root user. ✓
Correct Answer: D. Do not create access keys for the AWS account root user; instead, create AWS IAM users., E. Enable multi-factor authentication for the AWS account root user.
Explanation
AWS安全最佳实践中,根用户权限最高,需严格保护。AWS官方文档强调根用户应避免使用访问密钥(Access Keys),因其权限过大,存在高风险。D选项遵循此原则,建议通过IAM用户执行日常操作,减少根用户暴露。E选项建议为根用户启用MFA,增加登录验证层次,符合AWS身份验证增强要求。A选项错误,因使用根用户访问密钥违反最小权限原则;B选项针对IAM用户,非根用户;C选项提及加密和轮换,但根用户不应创建访问密钥,故此策略不适用。AWS安全白皮书和IAM最佳实践明确强调根用户MFA和避免访问密钥的必要性。