[HELP NEEDED] serious gap in the process, aws support is ignoring the request

1

Hello Guys!

I have found a serious gap in the AWS process and the AWS support team doesn't want to help.

How I can escalate my problem other than describing it here? I am really tired already.

My story:

I am

  • running a small IT company, that delivers AWS-based projects (among others).
  • Some time ago I decided to create an AWS organization under which I have created accounts for 2 of my team members. I have provided their personal email addresses while creating their accounts (that was my biggest mistake).
  • A few months ago one of my team members got schizophrenia, he lost access to his email account, started behaving aggressively, stopped working and communicating with us.
  • I wanted to remove his account from my organization, but:

a) I cannot remove his account from my organization until I will provide valid credit card details for his account to make it fully stand-alone (btw. there is 0 spent on this account).

b) The problem is that I cannot provide my credit card details because my colleague can potentially create a lot of expenses on my cost.

c) Also when I will provide my credit card details and remove his account from my organization I will have no option to access this account anymore and delete these credit card details.

  • Another thing I explored was to close this account (since I have created it I should be able to do it):

a) I cannot close the account if I don't have root access.

b) I cannot change the email for the root account to recover the password even if I assume "OrganizationAccountAccessRole" role.

c) The account can be closed from the root account only, or by the owner of the email associated with the root account.

AWS support doesn't want to help. They "truly apologize" but this decision is out of their scope, leaving their hands tied". Their advice is to provide credit card details, remove the account and pray for that guy not to start using this account on my costs. This is something that I obviously cannot accept.

Here is the full response:

Hello, I'm following up in behalf of our team. At this point, we want to apologize for any inconvenience this situation may cause. Unfortunately, we're unable to proceed with your request to close member accounts on this account. The initial requirements for accounts to function as standalone accounts can not be bypassed. To complete your account information, you can sign in to the member account with the Management Account Access role. The accounts you created using AWS Organizations have an IAM role called "OrganizationAccountAccessRole". This role has full administrative permissions, and the administrator of the management account can access the member account, complete the sign up requirements and then remove the account from the organization. Note that if you created an account as part of an organization, you might need to delete the delegated administrator role assigned to your account. This IAM role is not deleted automatically We recommend you use the IAM role to maintain the security settings you implemented on the account. For information about the IAM role, see the following documentation: https://aws.amazon.com/premiumsupport/knowledge-center/cannot-remove-member-organization/ For information on what happens to member account when you close them, see: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html See the AWS API and AWS CLI documentation here: https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html https://docs.aws.amazon.com/cli/latest/reference/organizations/deregister-delegated-administrator.html From my end, I understand this outcome is not the desired one but please note that this decision is out of my scope, leaving my hands tied looking to accomplish your request. Please remember that the Billing & Accounts team is a bridge of communication between our customers and other internal teams. Once again, my truest apologies. We value your feedback. Please share your experience by rating this correspondence using the AWS Support Center link at the end of this correspondence. Each correspondence can also be rated by selecting the stars in top right corner of each correspondence within the AWS Support Center. Best regards, XYZ Amazon Web Services

I will appreciate your advice on what else I can do to solve this problem.

Thanks a lot!

  • Set the limit on your payment card at 1$, provide this card for confirmation and then make his account fully stand-alone.

  • What about a prepaid credit card? That way even if the account gets used, it won't cost you anything.

asked 2 years ago241 views
1 Answer
0

This won't solve the problem but consider assigning an SCP to that account that denies everything. This will a effectively turn it into a dead account. See: SCP effects on permissions.

profile pictureAWS
EXPERT
kentrad
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions