prowler icon indicating copy to clipboard operation
prowler copied to clipboard

Published 20 hours ago verified publisher icon prowler-cloud

AWS account security questions have been deprecated

Open Fennerr opened this issue 1 year ago • 3 comments

Steps to Reproduce

Not actually a bug, but not a feature request either. AWS is deprecating security questions for accounts, ao the check should be removed

https://github.com/prowler-cloud/prowler/tree/mastoter/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account

https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-security-challenge.html

Expected behavior

Remove the check

Actual Result with Screenshots or Logs

N/A

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

N/A

OS used

N/A

Prowler version

Na

Pip version

Na

Context

No response

Fennerr avatar Feb 08 '24 21:02 Fennerr

Hi @Fennerr, it's great to talk about this topic since we talked internally about that recently. We know the following as stated by AWS:

Starting January 5, 2024, AWS will no longer support security challenge questions for accounts that have not already enabled and used them. This will remove the option to add new security challenge questions from the Accounts page in the AWS Management Console. If you have already set security challenge questions or have already set them on the management account in your AWS Organization, you can continue to use them. After January 6, 2025, AWS will no longer support security challenge questions for all remaining customers. We encourage you to add MFA instead. For more information, see AWS Accounts discontinues the use of security challenge questions.

Right now, that check is present in several compliance frameworks we support but as far as I understand, if the check account_security_questions_are_registered_in_the_aws_account raises:

  • PASS -> there is no problem to remove the check since you have that configured and it's not important for AWS.
  • FAIL -> you can no more configure that since it's disabled for accounts not already using it.

So, from my understanding we can remove the check but we need to think what happens with the compliance frameworks that are using it.

jfagoagas avatar Feb 09 '24 07:02 jfagoagas

I think for now the allowlist/mutelist is the way to go.

jfagoagas avatar Feb 09 '24 08:02 jfagoagas

Okay cool - Im not sure what's going to happen with the compliance frameworks (if you need to wait for the framework to catchup with the changes before changing the checks in prowler or not). Might be worth adding a line to the status_extended saying that you cannot act on this finding, only check it, as it has been deprecated

Fennerr avatar Feb 14 '24 13:02 Fennerr