- Newest
- Most votes
- Most comments
Hello,
Thank you for reaching out to AWS
Regarding your query "is this enough? Could an attacker re-add this role somehow if they compromised the master account?":
A : So for any cross account activity a role needs to be present in the destination account which has the trust policy with the master account present in it. Now, in your case the member account/child account should have a role with the master account trusted in to for any user from the master account to access child account.
Since, you deleted this role the link between the master and member is now broken. Unless the child account is compromised and from within the child account some entity created this role again trusting the master account, the master will not be able to access any resource in the child account. Even if the master account is compromised, the role cannot be created in child account from master account.
Thus, this should be enough for ensuring master account cannot access the resources of child account.
Hope this helps. Should you have any further questions please feel free to reach out to us and we will be happy to help
Happy Cloud Computing!
Relevant content
- Accepted Answerasked 3 months ago
- asked 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago