Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question]: AWS account security questions have been deprecated #3382

Open
Fennerr opened this issue Feb 8, 2024 · 3 comments
Open

[Question]: AWS account security questions have been deprecated #3382

Fennerr opened this issue Feb 8, 2024 · 3 comments
Assignees
@jfagoagas
Labels
provider/aws Issues/PRs related with the AWS provider question severity/informational Cosmetic or nice-to-have.

Comments

@Fennerr
Copy link
Contributor

Fennerr commented Feb 8, 2024

Steps to Reproduce

Not actually a bug, but not a feature request either. AWS is deprecating security questions for accounts, ao the check should be removed

https://github.com/prowler-cloud/prowler/tree/mastoter/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account

https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-security-challenge.html

Expected behavior

Remove the check

Actual Result with Screenshots or Logs

N/A

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

N/A

OS used

N/A

Prowler version

Na

Pip version

Na

Context

No response
@Fennerr Fennerr added bug status/needs-triage Issue pending triage labels Feb 8, 2024
@jfagoagas
Copy link
Member

jfagoagas commented Feb 9, 2024
edited

Hi @Fennerr, it's great to talk about this topic since we talked internally about that recently. We know the following as stated by AWS:

Starting January 5, 2024, AWS will no longer support security challenge questions for accounts that have not already enabled and used them. This will remove the option to add new security challenge questions from the Accounts page in the AWS Management Console. If you have already set security challenge questions or have already set them on the management account in your AWS Organization, you can continue to use them. After January 6, 2025, AWS will no longer support security challenge questions for all remaining customers. We encourage you to add MFA instead. For more information, see AWS Accounts discontinues the use of security challenge questions.

Right now, that check is present in several compliance frameworks we support but as far as I understand, if the check account_security_questions_are_registered_in_the_aws_account raises:

  • PASS -> there is no problem to remove the check since you have that configured and it's not important for AWS.
  • FAIL -> you can no more configure that since it's disabled for accounts not already using it.

So, from my understanding we can remove the check but we need to think what happens with the compliance frameworks that are using it.

@jfagoagas jfagoagas self-assigned this Feb 9, 2024
@jfagoagas jfagoagas changed the title [Bug]: AWS account security questions have been deprecated [Question]: AWS account security questions have been deprecated Feb 9, 2024
@jfagoagas jfagoagas added question severity/informational Cosmetic or nice-to-have. provider/aws Issues/PRs related with the AWS provider and removed bug status/needs-triage Issue pending triage labels Feb 9, 2024
@jfagoagas
Copy link
Member

I think for now the allowlist/mutelist is the way to go.

@Fennerr
Copy link
Contributor Author

Fennerr commented Feb 14, 2024

Okay cool - Im not sure what's going to happen with the compliance frameworks (if you need to wait for the framework to catchup with the changes before changing the checks in prowler or not). Might be worth adding a line to the status_extended saying that you cannot act on this finding, only check it, as it has been deprecated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jfagoagas jfagoagas

Labels
provider/aws Issues/PRs related with the AWS provider question severity/informational Cosmetic or nice-to-have.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfagoagas @Fennerr