Closed Bug 1634502 Opened 6 years ago Closed 4 years ago

Please decommission AWS account "Kai Engert - 8100" (315031162935)

Categories

(Cloud Services :: Operations: AWS Account Request, task)

Product:
Cloud Services
Component:
Operations: AWS Account Request
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Assigned: jason)

References

Details

Attachments

(1 file)

MFACompanyIdentityVerificationFormAffidavit.doc
64.50 KB, application/msword
Details

Kai had indicated in Bug 1633075 that there may be steps already in place to terminate the "Kai Engert - 8100" (315031162935) AWS account. If so and there's a bug tracking that, feel free to close this a duplicate. If not feel free to use this bug to track it.

AWS requires a note from a non-insignificant deity to login to an account that no longer has the root credentials available and we do not have the root credentials for this account.

While I jest, they do actually require a notarized form filed by a corporate officer in order to release the account. Due to the very weird circumstances of 2020, this has been a bit harder to get than it normally would be.

We are also trying to do the same for another AWS account (the See Also's above).

Legal has granted their approval for this process in a separately filed bug.

Unfortunately, no timeline on finishing this. It's in the queue and I'll do my best to get it done, but I have no idea how long it will take.

See Also: → 1594495

:ckolos
I can get into this account as an admin (though not as root). Do you mind if I go in and either

  • delete the IAM users that are in there so as to secure the account while it's being shut down
  • delete the IAM users and enable SSO granting some team that you're in admin in the account while it's being shutdown (if so, let me know the LDAP group name you'd like)

Just looking to reduce the attack surface while it's being shut down.

Flags: needinfo?(ckolos)

That works for me.

We have literally no non-painful way to shut this crap down without root access and I have no role-assumption access into the account.

Flags: needinfo?(ckolos)

I've created an IAM role, arn:aws:iam::315031162935:role/bug1634502-admin which trusts the 361527076523 AWS account that you should have a user in. The role has admin rights so you can get admin in the account

I've deleted both dueno and kengert IAM Users as they had admin rights, hadn't logged in in months or years and had no API keys.

:ckolos, this doesn't get you root but it does mitigate risk with those two IAM users and gets you admin in the account which may help in getting it shut down.

Flags: needinfo?(ckolos)

So yes, I now have access to the IAM, but this sadly doesn't get me any closer to root access which is what's needed to close the account.

Flags: needinfo?(ckolos)
See Also: → 1526008
QA Contact: jvehent → nobody
Assignee: ckolos → oremj

Oremj, I had service desk swap me in as owner of all google groups that limed owned.

That put me in the google group for email to this AWS account. I added you to it too.

It appears to be an account under cloudops rather than old IT billing.

Assignee: oremj → jthomas

I was able to gain access to this account as root. I will now proceed with decommission.

Done. I've received a confirmation email "This e-mail confirms that you have closed your Amazon Web Services account."

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

Created this account to say "yasssssssssss"

Epic! Thanks Jason. Also Hi ckolos!!

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: