Advanced Controls, Boundaries, and Best Practices
Mandatory first step for Root user and privileged accounts.
Virtual MFA
U2F / YubiKey
Hardware Token
IAM Access Analyzer
Identifies resources (S3, roles) shared with external accounts.
Credential Report
Account-level CSV showing all users and status of credentials (MFA, password age).
Permission Boundary
Maximum permissions an IAM entity (User/Role) can have. Does not grant access.
Organizations SCP
Service Control Policy applied to Account/OU. Limits what the Root user & IAM users can do.
Enable MFA on Root & Privileged Users
Rotate Access Keys every 90 days
Enforce strong Password Policy
Use IAM Roles for EC2/Lambda (No Keys)
If a question asks how to allow a developer to create users but prevent them from creating admins, the answer is Permission Boundaries. If asked how to restrict a specific service (like Redshift) for an entire department account, use SCPs.