Profile Applicability: Level 1


Description: 

The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.


Rationale: 

When creating a new AWS account, a default super user is automatically created. This account is referred to as the "root" account. It is recommended that the use of this account be limited and highly controlled. During events in which the Root password is no longer accessible or the MFA token associated with the root is lost/destroyed, it is possible, through authentication using secret questions and associated answers, to recover root login access.


Impact:

With security questions registered, the root user will never lose access to the AWS account under any circumstance even in scenarios such as loss of passwords or MFA devices.

Default Value:

By default, security questions are not enabled.

Audit:

Perform the following in the AWS Management Console: 

  1. Login to the AWS account as root .

  2. On the top right you will see the Root Account Name.

  3. Click on the Root Account Name
  4. From the drop-down menu Click My Account 
  5. Scroll down to the Configure Security Challenge Questions section on the Personal Information page.
  6. If the security questions are not registered, that status will be displayed.

Remediation:

Pre-Requisites:

  • Root access to the AWS Account

 Implementation steps:

  1. Login to the AWS Account as root .

  2. Click on the Root Account Name from the top right of the console .

  3. From the drop-down menu Click My Account .

  4. Scroll down to the Configure Security Questions section .
  5. Click on Edit to display the security challenge questions configuration form.
  6. Click on each Question
    1. From the drop-down select an appropriate question

    2. Click on the Answer section 

    3. Enter an appropriate answer 

  7. Click Update when complete to save the changes.

Backout Plan:

  1. Once we configure the security challenge questions, we can’t remove them all.

  2. However, we can change the questions 

 

Note:

 You can register security questions manually only via Management console but not the command line interface since AWS CLI/AWS API are not currently supported.

Place Questions and Answers and place in a secure physical location to make sure you won't lose them. You may write down and store the answers in a secure but accessible location.

References:

https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf