Best practise for AWS is to ensure your team are not logging into accounts with username and password that they have any access to resources on. This means losing a password is not the end of the world, and it is easy to add and remove access to AWS.
To manage user security you need a single point to control:
- User accounts
- User access level
- Password resets and age
- MFA
By using roles to access accounts that have resources, you can make sure every single login has MFA, and you only have one place to audit and manage users.