SEC 3. How are you protecting access to and use of the AWS root account credentials?

The AWS root account credentials are similar to root or local admin in other operating systems and should be used very sparingly. The current best practice is to create AWS Identity and Access Management (IAM) users, associate them to an administrator group, and use the IAM user to manage the account. The AWS root account should not have API keys, should have a strong password, and should be associated with a hardware multi-factor authentication (MFA) device; this forces the only use of the root identity to be via the AWS Management Console and does not allow it to be used for application programming interface (API) calls. Note that some resellers or regions do not distribute or support the AWS root account credentials.

Best practices:
 The AWS root account credentials are only used for only minimal required activities.
 There is a MFA hardware device associated with the AWS root account.
 AWS Marketplace solution is being used.