AWS Support Going in Circles

Question

Hi everyone,

I'm new to AWS and am running into some problems with AWS support. For context, my AWS was compromised as a malicious third-party entered and created multiple roles and access keys to use resources such as SES, DKM, and link up domains that are not associated with my service.

Once I noticed that these activities were happening, I immediately deleted all the users, groups, and roles that I could on IAM and ensured that my root account was protected with MFA (only the root account is left now and there are no longer any IAM users).

I also reached out to AWS support, asking them if there is anything else that I need to do to secure my account, as my account is currently restricted because I was compromised by the hackers. They advised me that there is still a role on IAM that needs to be deleted in order to secure my account (this role was apparently created by the hackers). I tried deleting that role, but I got the following error: "Failed deleting role AWSReservedSSO_AdministratorAccess_f8147c06860583ca.Cannot perform the operation on the protected role 'AWSReservedSSO_AdministratorAccess_f8147c06860583ca' - this role is only modifiable by AWS".

AWS Support several times has told me on many different occasions to delete it in some way or another, either through the IAM Identity Center or AWS Organizations (which I cannot access). I have even asked them to delete the role on their end, explicitly declaring that the role is not being used by any user or group and that I don't need the role. They haven't been able to help me in that regard and keep on telling me to delete the role on my end, but I literally can't because of the error message mentioned above (I am trying to do all of this on the root account.)

I feel like I am going in circles with AWS support and am unsure how to proceed. Does anyone have any advice? There also may be details I am missing in this post, but I'd be glad to clarify if anyone wants me to. I appreciate the help and feedback from people in the community.

re:Post Agent · Answer

It sounds like you're dealing with a protected SSO role that can't be deleted through normal IAM procedures. The "AWSReservedSSO_AdministratorAccess" role is a special role created and managed by AWS for IAM Identity Center (formerly AWS SSO) functionality.

This role can only be deleted through the IAM Identity Center service, not directly through the IAM console. Since you mentioned you can't access IAM Identity Center, this creates the circular problem you're experiencing.

Here's what you can try:

1. Log in as the root user and try to access the IAM Identity Center console directly (https://console.aws.amazon.com/singlesignon).

2. If you can access IAM Identity Center, look for any permission sets or assignments that might be using this role and delete those first.

3. If you can't access IAM Identity Center, be very specific with AWS Support about the error message you're receiving when trying to delete the role. Ask them to guide you through accessing IAM Identity Center or to escalate your case to someone who can help with protected roles.

4. Request that AWS Support help you disable IAM Identity Center if you're not using it, which should remove the associated roles.

5. Be clear with AWS Support that this is a security issue related to a compromised account, which might help prioritize your case.

Since you've already secured your root account with MFA and removed other IAM users, you've taken good initial steps. Continue to monitor your account for any unauthorized activity and consider reviewing your AWS billing for any unexpected charges that might indicate ongoing unauthorized usage.  
**Sources**  
[Security Hub - IAM.9 MFA should be enabled for the root user - finding | AWS re:Post](https://repost.aws/questions/QUXqKU_b3xSRuFxzylADH4RQ/security-hub-iam-9-mfa-should-be-enabled-for-the-root-user-finding)  
[Secure root user access for member accounts in AWS Organizations | AWS Security Blog](https://aws.amazon.com/blogs/security/secure-root-user-access-for-member-accounts-in-aws-organizations/)

JD · Answer

`AWSReservedSSO_*` IAM Roles are provisioned by an AWS Service called "IAM Identity Center (formerly AWS SSO)". Roles created by IAM IC can only be modified and deleted by IAM IC. You can browse to IAM Identity Center (formerly AWS SSO).
- If you have access to IAM IC, try to delete the account through there. If the bad actor restricted your access to IAM Identity Center (formerly AWS SSO), then try logging into your account with the root credentials and try to remove the role.
- It's also possible that the bad actor joined your account to an AWS Organization and then provisioned the IAM Role into your account from another account, in which case you will not have access to IAM Identity Center (formerly AWS SSO). In this case you will need to open a security related ticket with them. Depending on your monthly AWS spend you could also look into this https://aws.amazon.com/security-incident-response/pricing/

Manvitha Potluri · Answer

This role is automatically created and managed by AWS IAM Identity Center (formerly AWS SSO), and cannot be deleted from IAM manually, even by the root user. The only way to remove it is to delete or deprovision IAM Identity Center.

**Be clear:** That you cannot delete the role because it's managed by IAM Identity Center. (To the AWS Support Team)

**Alternatively: disable Identity Center yourself (if UI access is available)**
Go to:
IAM Identity Center → Settings → Delete Configuration

If your account lets you access this page, deleting the configuration will automatically remove the AWSReservedSSO_AdministratorAccess_* roles.

But since you said IAM Identity Center and Organizations are locked down or inaccessible, support escalation is your best option.

AWS Support Going in Circles

Add your answer

Relevant content