undefined | Better HN

0 pointsandrewguenther4y ago0 comments

Organization child accounts are not rootless, they're just seeded with a random password

0 comments

Sure 'technically' you could call support and have them setup an email address for the root account and then it wouldn't be rootless anymore.

But if you setup your child account with something that cannot resolve as an email address it is no longer a working root account and won't be until you contact AWS support. You cannot change the email address setting yourself either, you cannot login and you cannot 'assume' root either (as if it were an IAM user). So in essence: no root access for anyone.

Then you add an SCP to deny support access from that account (or the entire OU or all org child accounts) and it can't self-contact AWS support either for good measure.

j / k navigate · click thread line to collapse

0 comments

oneplane4y ago

Sure 'technically' you could call support and have them setup an email address for the root account and then it wouldn't be rootless anymore.

Then you add an SCP to deny support access from that account (or the entire OU or all org child accounts) and it can't self-contact AWS support either for good measure.

j / k navigate · click thread line to collapse