Below are some of the security best practices that should be followed while configuring the root user:
The MFA should be enabled for the root user account
The access/secret keys for the root user account should be destroyed/deleted in order to curtail the programmatic access
The password for the root user account should be very strong (by following the mentioned password policy)
The root user should not be used for any other activities apart from configuring the account or creating the other user accounts/groups
The MFA settings should be removed for the root user account if the user leaves the organization. This is the same case for the access/secret keys if any
The Email associated with the root user account should be changed if the user leaves the organization
