jfagoagas
commented
8 months ago Hi @Fennerr, it's great to talk about this topic since we talked internally about that recently. We know the following as stated by AWS:
_Starting January 5, 2024, AWS will no longer support security challenge questions for accounts that have not already enabled and used them. This will remove the option to add new security challenge questions from the Accounts page in the AWS Management Console. If you have already set security challenge questions or have already set them on the management account in your AWS Organization, you can continue to use them. After January 6, 2025, AWS will no longer support security challenge questions for all remaining customers. We encourage you to add MFA instead. For more information, see AWS Accounts discontinues the use of security challenge questions._
Right now, that check is present in several compliance frameworks we support but as far as I understand, if the check account_security_questions_are_registered_in_the_aws_account raises:
PASS-> there is no problem to remove the check since you have that configured and it's not important for AWS.FAIL-> you can no more configure that since it's disabled for accounts not already using it.
So, from my understanding we can remove the check but we need to think what happens with the compliance frameworks that are using it.
Fennerr
Steps to Reproduce
Not actually a bug, but not a feature request either. AWS is deprecating security questions for accounts, ao the check should be removed
https://github.com/prowler-cloud/prowler/tree/mastoter/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account
https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-security-challenge.html
Expected behavior
Remove the check
Actual Result with Screenshots or Logs
N/A
How did you install Prowler?
Cloning the repository from github.com (git clone)
Environment Resource
N/A
OS used
N/A
Prowler version
Na
Pip version
Na
Context
No response