Which task requires using AWS account root user credentials?
Which task requires using AWS account root user credentials?
Some tasks in AWS are restricted to the root user due to their high level of impact and security concerns. Changing the AWS Support plan is one such task that typically requires root user credentials. This is because altering the support plan can have significant implications for account billing, support levels, and the management of resources across the account. While IAM users can be given permissions to perform many tasks, changing the AWS Support plan generally necessitates root user access to ensure that only the account owner can make such significant changes.
Vote for B https://aws.amazon.com/premiumsupport/knowledge-center/change-support-plan/?nc1=h_ls
Your source says: "Use your AWS Identity and Access Management (IAM) user credentials with access permissions for AWS Support plans." This suggests that the correct answer is not B.
Vote for A. Amazon Doc says: Changing the AWS Support plan does not require root access. You can change the support plan for your AWS account using the AWS Support Plans console or the AWS CLI.
True. people can check this out - https://aws.amazon.com/about-aws/whats-new/2022/09/aws-updated-support-plans-console-new-iam-controls/
The task that requires using AWS account root user credentials is: B. Changing the AWS Support plan. Changing the AWS Support plan typically requires root user credentials because it involves modifying billing and support-related settings at the AWS account level. This task requires administrative privileges, which are associated with the root user of an AWS account.
I'm very confused on this one.. Looking at this doc - https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html I can't relate to any of provided options.. ;D
Actions that can be performed only by the root user: • Change account settings (account name, email address, root user password, root user access keys) • View certain tax invoices • Close your AWS account • Restore IAM user permissions • Change or cancel your AWS Support plan • Register as a seller in the Reserved Instance Marketplace • Configure an Amazon S3 bucket to enable MFA • Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID • Sign up for GovCloud
Emm!! - Sorry Guys but none of these answers A,B,C nor D appear to be correct ? Because once a non-root IAM user account is created and permissions given (by root), they can thereafter perform all the these tasks A, B, C & D But don't believe me - see what AWS say; - ------------- A. Viewing billing information https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html By default, IAM users and roles in your account can't access the Billing and Cost Management console. To grant access, enable the Activate IAM Access setting. .... use AWS Identity and Access Management (IAM) to control who in your account or organization has access to specific pages on the Billing and Cost Management console
Think of this as a cloud, platform, aws, devops, etc engineer working with AWS in a company environment. Show me a legitimate company that regularly wants basic view/list/describe on Billing to be isolated to the root account, which should almost NEVER be used. While the modify action on the company's/organization's AWS support plan (Enterprise Support plan is $15k/month MINIMUM) is regularly performed and should be shared via IAM roles or Identity Center's permission sets? That would make no sense. You'd even be getting your TAM reaching out to you if your company's AWS Support plan suddenly changed since it's such an impactful change. The answer is clearly B although this question appears to be a bit outdated since a root user technically can share BOTH functions with policy based users as of a few months ago.
Thanks for your explanation, it makes more sense why the support plan change is more impactful than viewing bills
The answer is B: https://docs.aws.amazon.com/awssupport/latest/user/changing-support-plans.html You can use the AWS Support Plans console to change your support plan for your AWS account. To change your support plan, you must have AWS Identity and Access Management (IAM) permissions or sign in to your account as a root user. For more information, see Manage access to AWS Support Plans and AWS managed policies for AWS Support Plans.
I think its B if I refer to this doc: https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html
please ignore my previous comment, I think its A if I refer to this doc: https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html
A is the answer It requires root access
It's should be A ref: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html#ControllingAccessWebsite-Activate
reply continued - B. Changing the AWS Support plan https://docs.aws.amazon.com/awssupport/latest/user/changing-support-plans.html You can use the AWS Support Plans console to change your support plan for your AWS account. To change your support plan, you must have AWS Identity and Access Management (IAM) permissions or sign in to your account as a root user ---------------------------- C. Starting and stopping Amazon EC2 instances https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html Set up to use Amazon EC2 ..... create an administrative user so that you don't use the root user for everyday tasks.
last part of my comment - D. Opening an AWS Support case https://docs.aws.amazon.com/awssupport/latest/user/case-management.html You can create a support case in the Support Center of the AWS Management Console. ... sign in to Support Center as the root user of your AWS account or as an AWS Identity and Access Management (IAM) user.
It's Option A. Refer this document https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html. It has this task under the list 'View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc. or Amazon Internet Services Private Limited (AISPL).'
Answer is B, because an IAM user can view billing information with correct permissions.
B: Change or cancel AWS Support Plan