AWS Root User Security Challenge Questions [DEPRECATED]

Overview

This check verifies whether legacy security challenge questions are configured on the AWS account root user. These questions were historically used by AWS Support to verify identity during account recovery scenarios.

Important: AWS has deprecated this feature. New configuration is no longer available, and remaining support is time-limited. Focus on stronger recovery methods instead.

Risk

If root credentials or MFA are lost, the absence of configured security questions may slow support-assisted recovery, reducing availability during incidents.

However, knowledge-based authentication (KBA) like security questions is inherently weak:

• Answers can often be guessed or researched through social engineering
• Information may be exposed in data breaches or public records
• KBA provides false confidence while creating real vulnerabilities

Bottom line: Treat this as a signal to adopt stronger, phishing-resistant recovery methods rather than relying on security questions.

Remediation Steps

Prerequisites

• Root account credentials (email and password)
• Access to the root account email for verification
• A secure location to store security question answers (password manager recommended)

AWS Console Method

Since this feature is deprecated, the recommended approach is to strengthen your account recovery posture through modern methods rather than configuring legacy security questions.

Option A: Configure Security Questions (Legacy - If Still Available)

1. Sign in to the AWS Management Console as the root user
2. Go to Account Settings: https://console.aws.amazon.com/billing/home?#/account
3. Look for Configure Security Challenge Questions and click Edit
4. Select three different questions from the dropdown menus
5. Enter answers for each question
6. Click Update to save

Tips for answers:

• Use answers that are memorable but not easily guessed
• Consider using random passphrases instead of real answers
• Store answers securely in a password manager

Option B: Strengthen Recovery Posture (Recommended)

Instead of relying on deprecated security questions, implement these stronger controls:

1. Enable MFA on root account

   • Go to IAM > Security credentials (while signed in as root)
   • Under Multi-factor authentication (MFA), click Assign MFA device
   • Choose a hardware security key (FIDO2) for strongest protection

2. Update alternate contacts

   • Go to Account Settings > Alternate Contacts
   • Add current Billing, Operations, and Security contacts
   • Ensure these contacts can receive communications if root access is lost

3. Protect the root email account

   • Enable MFA on the email account associated with AWS root
   • Use a strong, unique password
   • Consider a dedicated email address for AWS root

4. Establish a break-glass procedure

   • Document step-by-step recovery procedures
   • Store root credentials in a secure vault with strict access controls
   • Test recovery procedures periodically

AWS CLI: Update Alternate Contacts

Security questions cannot be configured via CLI, but you can update alternate contacts:

# Set billing contact
aws account put-alternate-contact \
    --alternate-contact-type BILLING \
    --email-address billing@example.com \
    --name "Billing Team" \
    --phone-number "+1-555-123-4567" \
    --title "Billing Contact" \
    --region us-east-1

# Set operations contact
aws account put-alternate-contact \
    --alternate-contact-type OPERATIONS \
    --email-address ops@example.com \
    --name "Operations Team" \
    --phone-number "+1-555-123-4568" \
    --title "Operations Contact" \
    --region us-east-1

# Set security contact
aws account put-alternate-contact \
    --alternate-contact-type SECURITY \
    --email-address security@example.com \
    --name "Security Team" \
    --phone-number "+1-555-123-4569" \
    --title "Security Contact" \
    --region us-east-1

Verify the contacts:

aws account get-alternate-contact \
    --alternate-contact-type SECURITY \
    --region us-east-1

Check if MFA is enabled on root:

aws iam get-account-summary --region us-east-1 --query 'SummaryMap.AccountMFAEnabled'

A return value of 1 means MFA is enabled on the root account.

CloudFormation: Alternate Contacts (Organization-level)

Security challenge questions cannot be configured via CloudFormation. However, for AWS Organizations, you can manage alternate contacts at the account level:

AWSTemplateFormatVersion: '2010-09-09'
Description: Configure alternate contacts for AWS account recovery

Resources:
  BillingContact:
    Type: AWS::Account::AlternateContact
    Properties:
      AlternateContactType: BILLING
      EmailAddress: billing@example.com
      Name: Billing Team
      PhoneNumber: '+1-555-123-4567'
      Title: Billing Contact

  OperationsContact:
    Type: AWS::Account::AlternateContact
    Properties:
      AlternateContactType: OPERATIONS
      EmailAddress: ops@example.com
      Name: Operations Team
      PhoneNumber: '+1-555-123-4568'
      Title: Operations Contact

  SecurityContact:
    Type: AWS::Account::AlternateContact
    Properties:
      AlternateContactType: SECURITY
      EmailAddress: security@example.com
      Name: Security Team
      PhoneNumber: '+1-555-123-4569'
      Title: Security Contact

Note: AWS::Account::AlternateContact requires appropriate permissions and may only work for member accounts in an AWS Organization when deployed from the management account.

Terraform: Alternate Contacts

Security challenge questions cannot be configured via Terraform. However, you can manage alternate contacts:

# Configure alternate contacts for account recovery

resource "aws_account_alternate_contact" "billing" {
  alternate_contact_type = "BILLING"
  name                   = "Billing Team"
  title                  = "Billing Contact"
  email_address          = "billing@example.com"
  phone_number           = "+1-555-123-4567"
}

resource "aws_account_alternate_contact" "operations" {
  alternate_contact_type = "OPERATIONS"
  name                   = "Operations Team"
  title                  = "Operations Contact"
  email_address          = "ops@example.com"
  phone_number           = "+1-555-123-4568"
}

resource "aws_account_alternate_contact" "security" {
  alternate_contact_type = "SECURITY"
  name                   = "Security Team"
  title                  = "Security Contact"
  email_address          = "security@example.com"
  phone_number           = "+1-555-123-4569"
}

Verification

To verify your account recovery posture:

1. Check security questions (if applicable):

   • Sign in as root and go to Account Settings
   • Look for "Configure Security Challenge Questions"
   • Verify questions are configured (if the option still exists)

2. Verify MFA is enabled:

   • Sign in as root
   • Go to IAM > Security credentials
   • Confirm an MFA device is assigned

3. Verify alternate contacts:

   • Go to Account Settings > Alternate Contacts
   • Confirm all three contact types have current information

CLI Verification Commands

# Check alternate contacts
aws account get-alternate-contact --alternate-contact-type BILLING --region us-east-1
aws account get-alternate-contact --alternate-contact-type OPERATIONS --region us-east-1
aws account get-alternate-contact --alternate-contact-type SECURITY --region us-east-1

# Check account contact information
aws account get-contact-information --region us-east-1

# Check if root MFA is enabled
aws iam get-account-summary --region us-east-1 --query 'SummaryMap.AccountMFAEnabled'

Note: There is no CLI command to verify security challenge questions - this must be done through the Console.

Additional Resources

• AWS: Protecting the AWS Account Root User
• AWS: Enabling MFA Devices
• AWS: Managing Account Contacts
• AWS Well-Architected Framework - Security Pillar

Notes

• Deprecation warning: Security challenge questions are a legacy feature. AWS has discontinued new configuration and support is time-limited. Do not rely on this feature for long-term security.

• Root account best practice: Minimize root account usage. Create IAM users or roles for daily operations and reserve root only for tasks that explicitly require it.

• Break-glass procedures: Document and regularly test your account recovery procedures. Ensure multiple trusted individuals know how to execute recovery if needed.

• Hardware MFA recommended: Use FIDO2 security keys for root MFA when possible. They provide the strongest protection against phishing and credential theft.

• Prowler may still flag this: Even though the feature is deprecated, Prowler may continue to check for it. Consider suppressing this check if you have implemented the recommended modern alternatives.