[a2tech]

AWS support seems to be struggling. I just came to help a new customer who had a rough severance with their previous key engineer. The root account password was documented, but the MFA went to his phone.

We've tried talking to everyone we can, opening tickets, chats, trying to talk to their assigned account rep, etc, no one can remove the MFA. So right now luckily they have other admin accounts, but we straight up can't access their root account. We might have to nuke the entire environment and create a new account which is VERY lame considering they have a complicated and well established AWS account.

[mhurron]

Amazons assistance for account issues to organizations if an employee did anything individually is honestly horrible.

They treat it like the organization is attempting to commandeer someone else's account so all the privacy protections you expect for your own stuff is applied no matter how much you can prove it is not some other individuals account.

The best part is the billing issues that arise from that. In your example, if the previous engineer logged into that account (because they can) and racked up huge costs, assuming that account is getting billed or can be tied to your client, Amazon will demand your client pay for them, while at the same time refusing to assist in getting access to the account because it's someone else's. They hold you responsible, but unable to act in a responsible manner.

[icedchai]

You would think they'd have a standard way to recover this, like mailing a one-time password to the account's billing address.

[cyberpunk]

While true, the engineer would have to be a weapons grade tit to get themself in such legal trouble, and honestly deserves whatever criminal charges comes their way.

[senkora]

Is this something where you could pay a "consulting fee" to the previous key engineer to login and remove the MFA?

I know that that's not ideal, but as a practical matter perhaps it would be easier than creating a new account, if you can get the engineer to agree to it?

[rob-olmos]

Is the AWS account phone number also their phone and not the business/corp phone? And you tried the dedicated lost MFA device form?

[kevin_thibedeau]

This is why you either issue corporate phones or key dongles.

[nightpool]

when your startup is three employees and only one technical? this person created their AWS root account, I think it's fair to assume that he's their first engineer and probably first employee

[NetMageSCW]

What happens when someone loses their phone?

[zikduruqe]

You print the MFA QR code, and give it to an executive that locks it up in a safe or offsite storage.

In a past life, we printed the MFA QR code and the head of finance put it into a safe.

[Arrowmaster]

You know that QR code is just text you can read right? It's just an otpauth:// URI you can copy and paste into most password managers.

We even have these amazing things that securely share passwords or other secret data between multiple authorized users.

Seriously just scan the QR code and put it in any password manager that supports TOTP and it will start outputing codes.

[zikduruqe]

Yes, I am very familiar with zbarimg and qrencode. But, other people might not be, and that's why just scanning a QR code works. Not everyone has Bitwarden, 1Password, Pass, keepass, etc.... also these tools may not be approved by your security teams.

And we are talking about the root account for your production AWS account. No need to get fancy. Just print the QR code, and put it in a safe hoping you never need it.

[efitz]

That's precisely why you want it in a safe.

[UltraSane]

This is why you never use personal phones for MFA to critical accounts.

[nradov]

I won't attempt to defend AWS here, but if any company has such incompetent IT management as to allow an individual employee to have that level of control then they kind of deserve what they get. Life is hard when you're stupid.

[dixie_land]

I named random Joe as the sole owner of "my" bank account and the bank wouldn't allow me to access "my" money!

[mcherm]

That's not an equivalent analogy. A better analogy would be to say I had a bank account and I told my bank to call up Joe on the phone when confirmations were needed. I still have the account, but I have fallen out with Joe. I want the bank to call somebody else, but they refused to do so, even though it's my account and I'm paying the bill for it!

[a2tech]

And we're paying extra for support!

[gamblor956]

Banks have established processes for changing signatories on business bank accounts, including in situations where a past signatory is no longer with the business.

In a nutshell: if a past signatory was a regular employee, it just takes any other signatory to remove them. If there was no other signatory, or if the past signatory was an officer, it takes a current officer (as set forth in the company's AOI or corporate minutes). Usually only the latter 2 situations of the 3 above require an in-person visit to the local branch office, and that only requires a few minutes.