Ask HN: How does your company/organization handle cloud account ownership?

2 points

9 years ago

For example, with both AWS and GCP there exists a "root" account.

Do a single or multiple people retain control of this account?

Generally one should avoid using the root account, but there are situations when you must[1][2]

So if you limit access to this account to an individual and they take actions to secure the account (eg, random password, multi-factor authentication), what happens if they get hit by a bus[3]? get hacked? or lose/forget their credentials[4]?

To mitigate the bus and forgetfulness factors, you could provide ownership to another individual. But that increases your attack surface to hackers and to leaking credentials.

On a related note, system for permissions[5][6] are in place to delegate access to individual or groups of accounts to take actions on a project. But those projects/resources still need to be owned by some account.

Does your company/organization place ownership of company projects under a single account? Or a hierarchy of accounts? How is the latter managed?

[1] http://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html

[2] Or for GCP, creating a project that should be owned by the company https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#use_projects_to_designate_ownership_of_resources

[3] https://en.wikipedia.org/wiki/Bus_factor

[4] Account recovery is a vector for attack especially by social engineering, who overseas recovery?

[5] https://aws.amazon.com/iam/

[6] https://cloud.google.com/iam/

1 comment