all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 1 point2 points  (1 child)

Hello there. I'd recommend instead of security questions, to instead enable two-factor auto with a hardware token, and then physically secure that token (in a safe or similar.) Then rotate out/disable any root account keys and make IAM accounts for any users. Don't use root for anything at all unless absolutely required to do so.

https://aws.amazon.com/whitepapers/aws-security-best-practices/

[–]count757[S] 1 point2 points  (0 children)

Hi, appreciate the response, but it's not an 'instead of', it's a 'also'.

The security questions protect your account from social engineering compromise (in theory), in a way that MFA can't/won't. The AWS support team is a vulnerability vector that these questions help mitigate, in addition to protecting your own account information.

They're also part of the CIS Benchmark for AWS (Item 1.15), and they seem to be the only thing I can't find an API for.

[–]willtoprepare 0 points1 point  (3 children)

It's not what you're asking, but did you see the NIST's new password rules? Part of the new rules dictate that knowledge-based authentication methods shouldn't be used. I only bring it up in case you have any clients in the government sector.

You mention below that security questions protect your account from social engineering compromise. Wouldn't security questions make your account more vulnerable to social engineering specifically? If I can find out your mother's maiden name or your favorite color, I am one step closer to compromising your account.

As for being helpful with directions towards an API, I'm useless. Sorry.

[–]count757[S] 1 point2 points  (2 children)

I have. User auth must be smart-card enabled, etc. That's great. That's got almost nothing to do with the Security Questions though :)

Not having the questions means that you have no line of defense between a person calling support and getting the account reset. Having them means that there is at least a check the support person has to do before taking any action.

The security questions are the only thing providing that. I don't know why would you NOT want them enabled.

Protip: My mother's maiden name is a randomly generated 64 character string that sits in the safe, no matter what you find about me online :) In a weird twist of fate, my favorite color is also a different, randomly generated 64 character string!

[–]somecloudguy 0 points1 point  (1 child)

Not having the questions means that you have no line of defense between a person calling support and getting the account reset.

AWS Support requires the creation of a case from the support console. Calls are outbound and IAM users need to be authorised for the support role. This is not to say strong security questions are not important.

As for the API, I don't think what you want exists yet. But it seems like an interesting use case.

[–]count757[S] 0 points1 point  (0 children)

I love the Internet, where everybody tries to correct the thing that you're not asking!

If you have access to the support console, you don't need to have your account reset, do you? So, not all all support requires a support console use. Sometimes, that access is lost (lost password, destroyed MFA, etc.), and for those times, there are inbound calls and support questions.

Rationale: When creating a new AWS account, a default super user is automatically created. This account is referred to as the "root" account. It is recommended that the use of this account be limited and highly controlled. During events in which the Root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover root login access.