By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can I create a child AWS account and prevent the master from accessing it?

0

Here is the use case we're considering:

We'd like to make RDS DB backups to a separate AWS account which is completely isolated from our main account (e.g. the login credentials would be written on a piece of paper and stored in a safe).

The idea being that even if our main AWS account was compromised, an attacker couldn't also destroy the DB backups.

Obviously we could just create a one-off AWS account, but it would be nice to have the child account still share the same billing control panel, but nothing else.

Essentially, I want it so that the master account does NOT have access to anything in the child account, except billing information.

Is it possible to do this?

I experimented with removing the OrganisationAccountAccessRole from the child account, and this seemed to prevent users from the master account from assuming that role in the child account. But, is this enough? Could an attacker re-add this role somehow if they compromised the master account?

Thanks!

Topics
Management & Governance
Tags
AWS Organizations
Language
English
jwood2
asked 5 years ago900 views
1 Answer
0
Accepted Answer

Hello,

Thank you for reaching out to AWS

Regarding your query "is this enough? Could an attacker re-add this role somehow if they compromised the master account?":
A : So for any cross account activity a role needs to be present in the destination account which has the trust policy with the master account present in it. Now, in your case the member account/child account should have a role with the master account trusted in to for any user from the master account to access child account.
Since, you deleted this role the link between the master and member is now broken. Unless the child account is compromised and from within the child account some entity created this role again trusting the master account, the master will not be able to access any resource in the child account. Even if the master account is compromised, the role cannot be created in child account from master account.

Thus, this should be enough for ensuring master account cannot access the resources of child account.

Hope this helps. Should you have any further questions please feel free to reach out to us and we will be happy to help

Happy Cloud Computing!

AWS
AWS-User-6657843
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content