[GauntletWizard]

No, there's no good answer to this. Don't ever use the Root account itself. Use a corporate Yubikey, kept in a safe or better yet - Corporate Safety Deposit Box - that only the highest-level technical leads (3-5) have access to and keys to.

You should be using IAM user accounts for everything else. Unprivileged base users with access to two different roles. One for general use, one that has administrator access. Build a lambda that sends a daily e-mail summarizing logins to the second and actions those logins took to your security team. You only need to be quite this complex as your corporation grows, and you probably should only ever have a (under twenty) list of people with access to that second role.

The other key to this puzzle is separate AWS Root Accounts for different use cases; Run your Dev in one and give out the administrative role willy-nilly, "Prod" in another that's tightly locked down. AWS SSO is one good solution to managing all these accounts (there are others). Run your "Prod Data but not visible to customers" in another if you must have it (I suggest investing in automation instead - Set up a service team to handle understanding requests for "Prod" data, that will run queries in prod after vetting them and anonymizing, but don't ever load that data into staging; Have them also help engineers sufficiently fake that data).

[gfisher]

Yes, you are totally correct. We don't use our root account now, and we keep our our corporate Yubikeys in a safe with a 2-key access lock. The issue is that fewer and fewer people have access to the safe due to geography. I'm worried about our in-city bus factor.

[GauntletWizard]

Tread carefully with permissions; when making changes to admin roles make sure you've got a backup role you can use to undo.

Remember that if all else fails, AWS will send your company a physical letter that support will verify and unlock your account.