1.3 Ensure security questions are registered in the AWS account

Information

The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.

Rationale:

When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Console:

Login to the AWS Account as the 'root' user

Click on the <Root_Account_Name> from the top right of the console

From the drop-down menu Click My Account

Scroll down to the Configure Security Questions section

Click on Edit

Click on each Question

From the drop-down select an appropriate question

Click on the Answer section

Enter an appropriate answer

Follow process for all 3 questions

Click Update when complete

Save Questions and Answers and place in a secure physical location

See Also

https://workbench.cisecurity.org/files/4047