Mods

turbot/aws_compliance

GitHub
Overview
23Dashboards
712Controls
401Queries
2Variables
GitHub
Loading controls...
On This Page
Description
Remediation
Usage
SQL
Tags
Get Involved
Edit on GitHub
Discuss on Slack

Control: 1.3 Ensure security questions are registered in the AWS account

Description

Ensure Security Challenge Questions are set up in the AWS account settings page of your AWS account.

By adding security challenge questions improve the security of your account. It can be used to authenticate individuals calling AWS customer service for support. It is highly recommended that security questions be established.

When creating a new AWS account, a default super user is automatically created. This account is referred to as the "root user" account. It is recommended that the use of this account to be limited. During events in case the root password is no longer accessible or the MFA token associated with root user is lost or destroyed it is possible, through authentication using secret questions and associated answers, root user login access can be recovered.

Remediation

There is no API available for setting security questions - you must log in to the AWS console to verify, and set your security questions and answers.

  1. Sign into the AWS console as a root user, and navigate to the Account Settings.
  2. Verify that the information in the Configure Security Challenge Questions section is complete and you have the answers with you. If changes are required, click Edit, make your changes, and then click Update.
  3. Keep the questions and answers in a secure location.

Usage

Run the control in your terminal:

steampipe check aws_compliance.control.cis_v130_1_3

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share aws_compliance.control.cis_v130_1_3

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 1.3
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v1.3.0
plugin = aws
service = AWS/IAM