At a minimum, you should include enabling MFA for the IAM user. Generally, I'd suggest against using IAM users entirely. Ideally you would use an IAM Role via federation or SSO. For my personal accounts I use AWS SSO even though I'm just one person since it enables me to do all my work through role-based authentication and is still protected by MFA on top.
Uhm, I don't understand how this would work. We need the backups to run unattended. The IAM user I configure has got no console access at all. Do you have any pointer or example?
