AWS Root User Security Challenge Questions

Overview

This check verifies whether security challenge questions are configured for your AWS root account. These questions were historically used by AWS Support to verify your identity during account recovery scenarios.

Important Notice: This check is deprecated. AWS has discontinued the security challenge questions feature and is phasing out remaining support. You should focus on modern security controls instead (see the Notes section below).

Risk

Without security challenge questions configured (when the feature was active), AWS Support had fewer ways to verify your identity during account recovery. However, knowledge-based authentication (security questions) is inherently weak because:

• Answers can often be guessed or researched through social media
• They are vulnerable to social engineering attacks
• Modern alternatives like MFA provide much stronger protection

Remediation Steps

Prerequisites

• Root user access to your AWS account
• A secure place to store your security question answers (such as a password manager)

AWS Console Method

Note: Since AWS has deprecated this feature, the option may no longer appear in your account settings. If you cannot find it, skip to the "Modern Alternatives" section below.

1. Sign in to the AWS Management Console as the root user (not an IAM user)
2. Click on your account name in the top-right corner
3. Select Account from the dropdown menu
4. Scroll down to find the Configure Security Challenge Questions section
5. If available, select three security questions from the dropdown menus
6. Enter your answers for each question
7. Store your answers securely (in a password manager or secure document)
8. Click Update to save your changes

Modern Alternatives (Recommended)

Since security questions are deprecated, implement these stronger security controls instead:

1. Enable MFA on the root account

   • Go to IAM > Security credentials (while signed in as root)
   • Under Multi-factor authentication (MFA), click Assign MFA device
   • Use a hardware security key (FIDO2) or authenticator app

2. Set up alternate contacts

   • Go to Account > Alternate contacts
   • Add billing, operations, and security contacts

3. Secure the root email address

   • Use a strong, unique password on the email account tied to your AWS root user
   • Enable MFA on that email account as well

4. Minimize root user usage

   • Create IAM users or use AWS IAM Identity Center for daily tasks
   • Only use root for tasks that specifically require it

AWS CLI (optional)

There is no AWS CLI command to configure security challenge questions. This setting can only be managed through the AWS Management Console.

However, you can verify MFA is enabled on the root account using:

aws iam get-account-summary --region us-east-1 --query 'SummaryMap.AccountMFAEnabled'

A return value of 1 means MFA is enabled on the root account.

CloudFormation (optional)

Security challenge questions cannot be configured via CloudFormation as they are an account-level setting managed only through the console.

For automating other root account security settings in AWS Organizations, consider using AWS Control Tower or Service Control Policies (SCPs).

Terraform (optional)

Security challenge questions cannot be configured via Terraform as they are an account-level setting managed only through the console.

For managing AWS Organizations and account-level settings, you can use the aws_organizations_account resource, but security questions are not exposed through any API.

Verification

1. Sign in to the AWS Console as the root user
2. Navigate to Account settings
3. Look for the Configure Security Challenge Questions section
4. If visible, verify that three questions are configured and marked as complete

Note: Since this feature is deprecated, verification may not be possible if AWS has removed the option from your account.

Verify modern security controls instead

Since security questions are deprecated, verify these controls are in place:

Check root MFA status:

aws iam get-account-summary --region us-east-1 --query 'SummaryMap.AccountMFAEnabled'

Check alternate contacts are configured:

• Sign in to AWS Console as root
• Go to Account > Alternate contacts
• Verify billing, operations, and security contacts are filled in

Additional Resources

• AWS Root User Best Practices
• Tasks That Require Root User Credentials
• Enable MFA for the Root User
• AWS Account Alternate Contacts

Notes

• Deprecation: AWS has deprecated security challenge questions. The feature may no longer be available in your account. Focus on implementing MFA and other modern security controls instead.

• Security questions are weak: Even when available, security questions provided limited protection. Answers can often be guessed, researched, or obtained through social engineering.

• Prioritize MFA: Multi-factor authentication on the root account is far more effective than security questions. Use a hardware security key (FIDO2) for the strongest protection.

• Root user should be rarely used: After initial account setup, the root user should almost never be used. Create IAM users or use AWS IAM Identity Center for everyday tasks.

• Prowler may still flag this: Even though the feature is deprecated, Prowler may continue to check for it. Consider suppressing this check if you have implemented the recommended modern alternatives.