Profile Applicability:

  • Level 1

Description:

Security challenge questions provide an additional layer of protection for your AWS account. These questions are used to verify the identity of the account holder in case of account recovery or security incidents. Ensuring that security questions are registered helps to prevent unauthorized access to the account.

Rationale:

By registering security challenge questions, you add an extra level of authentication that strengthens the account recovery process and helps verify the account holder’s identity during critical events. This can help prevent unauthorized access and provide an added security measure in the event of account recovery requests.

Impact:

  • Positive Impact: Helps protect the account from unauthorized access during recovery attempts. It can assist in regaining access if the account is compromised.

  • Negative Impact: Minimal effort required for configuration. If not configured, you may face challenges regaining account access if necessary.

Default Value:

By default, security challenge questions are not enabled in AWS accounts. They need to be configured manually.

Pre-Requisite:

  • AWS Account Access: The user must have access to the AWS Management Console with appropriate permissions to view and update account settings.

  • IAM User Permissions: Ensure that the IAM user has the necessary permissions to view and update security settings for the account.

Remediation:

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the Account Settings page at AWS Billing Console.

  3. Scroll down to the Configure Security Challenge Questions section.

  4. If security questions are not enabled, click the Edit link.

  5. Select three security challenge questions from the list provided by Amazon.

  6. Provide the appropriate answers for each question.

  7. Click Update to save the changes.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Go to Account Settings at AWS Billing Console.     

  3. Scroll down to the Security Challenge Questions section and click the Edit button.

  4. Select three questions from the list and provide the answers.

  5. Click Update to save the settings.

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Account Settings under the Billing Dashboard.

  3. If you need to revert changes to security questions:

    • Access the Security Questions section.

    • Replace the recently updated answers with the original security question responses.

    • Save the changes to restore the previous configuration.

Using AWS CLI:

Unfortunately, managing security questions is currently not supported via AWS CLI. You will need to revert the changes manually through the AWS Management Console as outlined above.

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

17.2

Establish and maintain contact information for reporting security incidents.

v7

19.3

Designate management personnel and backups to support incident handling.