0Pricing
AWS Solutions Architect · Lesson

IAM Best Practices and MFA

Enable MFA, rotate access keys, use the IAM credential report, and review common IAM misconfigurations caught in audits.

IAM Best Practices Overview

AWS has an official IAM checklist that shows up all over the exam: lock away root, turn on MFA, use roles over keys, grant least privilege, and rotate credentials.

Lock Away the Root User

The root user can't be limited by any policy, so secure it hard: enable MFA, delete its access keys, and use it only for the rare tasks that demand it.

# Check if root account has MFA enabled (from Security Hub or Trusted Advisor)
aws securityhub get-findings \
  --filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}],"Title":[{"Value":"MFA should be enabled for the root account","Comparison":"CONTAINS"}]}' \
  --query 'Findings[].Title'

All lessons in this course

  1. IAM Users and Groups
  2. IAM Roles and Policies
  3. Least-Privilege Principle
  4. IAM Best Practices and MFA
← Back to AWS Solutions Architect