Can customers delete the roles "AWSReservedSSO_AdministratorAccess_a9149395f7abc736" and "AWSServiceRoleForSSO" if the linked accounts are in a suspended state?

Question

The linked accounts were created as part of the compromised activity and suspended when the service team identified these accounts were Fraudulently created. Can customers delete the roles "AWSReservedSSO_AdministratorAccess_a9149395f7abc736" and "AWSServiceRoleForSSO" now that these linked accounts are in a suspended state? If no, could you please refer me to a public facing document that explains this scenario.

Thank you, Diana Sandhya F

Thank you,
Diana Sandhya F

Accepted Answer

Hi

I would say this heavily depends on if the attacker that opened the accounts have access to the Root user for the account.
If the account is suspended then it's not possible to access the account. It is however possible to delete the role in an active account.

[Using service-linked roles for IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-service-linked-roles.html#delete-slr) give instructions on how to manually delete the role, so that is possible.

[Closing a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html) states that: `If you no longer need a member account in your organization, and want to ensure that no one can accrue charges for it, you can close the account` which indicates that it can't be accessed and hence role can't be deleted in this state.

[Can I reopen my closed AWS account?](https://repost.aws/knowledge-center/reopen-aws-account) give instructions on how to open an closed account, within the 90 day grace period, using the Root user.

So if the attacker still has access to the Root user it is possible that they can reopen the account and delete the role.

I would investigate and create [SCP policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html) that Deny any account to leave the organization and two prevents deleting the roles.

Hope it give some for of answer and help.

Answer

This document appears to cover the circumstances that you describe https://docs.aws.amazon.com/singlesignon/latest/userguide/using-service-linked-roles.html#delete-slr

When the linked account is removed from your AWS Organisation the service-linked role will be deleted.

You can also delete the service-linked role manually, as long as beforehand you have removed user & group access, and permission sets.

Can customers delete the roles "AWSReservedSSO_AdministratorAccess_a9149395f7abc736" and "AWSServiceRoleForSSO" if the linked accounts are in a suspended state?

Relevant content