Profile Applicability:

Level 1

Description:

AWS provides account owners with the ability to set security questions in the AWS Support portal. These security questions allow AWS Customer Support to authenticate individuals requesting account recovery or support assistance for the root user account. Setting security questions ensures that root account recovery is possible in case the password is lost or the MFA device is unavailable.

Rationale:

The AWS root user has full administrative control over an AWS account and should be used sparingly. However, in cases where:

  • The root account password is lost

  • The root MFA device is unavailable or destroyed
    AWS can allow root account recovery through authentication using security challenge questions and answers.
    Without security questions:

  • Root account recovery may be delayed or impossible.

  • AWS support will have limited options for account authentication.

  • Organizations may lose access to critical AWS services.

Impact:

  • Failure to set security questions can result in permanent account lockout if the root password and MFA are lost.

  • Without security questions, AWS support may not be able to verify account ownership during an emergency.

  • Increased risk of unauthorized access if security questions are weak or widely known.

Default Value:

By default, AWS does not require security questions to be set. If not configured, AWS support may not be able to verify account ownership in case of a lost root password or MFA device.

Pre-Requisites:

  1. AWS Root User Access:

    • Must log in as the AWS root user to configure security questions.

  2. IAM Permissions:

    • The root user must perform this action (IAM users cannot set security questions).

  3. List of Security Questions & Answers:

    • Choose strong answers that are not publicly available (e.g., avoid "mother's maiden name").

  4. Secure Storage Mechanism:

    • Store answers in a password manager or secure physical location.

Remediation:

Test Plan:

Using AWS Console  

  1. Login to AWS as the root user.

  2. Click on the Account Name (top-right corner).

                 

  1. Select My Account from the dropdown.

                         

  1. Scroll to the Configure Security Challenge Questions section

  2. Ensure that three security challenge questions are configured.

Implementation Steps:

Using AWS Console 

  1. Login to AWS as the root user.

  2. Click on the Account Name (top-right corner).

  3. Select My Account from the dropdown.

  1. Scroll to the Configure Security Questions section.

  2. Click Edit.

  3. For each question:

    • Select an appropriate security question from the dropdown.

    • Enter a strong, unique answer.

  4. Click Update.

  5. Save the questions and answers in a secure location (e.g., password manager, offline storage).

Backout Plan:

If incorrect security questions are saved:

  1. Login as the root user and navigate to My Account.

  2. Edit security questions and update them with new answers.

  3. Store the new answers securely.

References:

  • AWS Account Security Best Practices

  • AWS Security Documentation

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

5.1

Establish and maintain an inventory of all accounts managed in the enterprise. Validate all active accounts periodically.

CIS v7

16.1

Maintain an inventory of all authentication systems, including those at a remote service provider.