undefined

points

[-]

>Help me understand why you would delete your AWS account if the company and email address are unchanged - I can’t see the motivation.

Have you ever worked in a company of any size or complexity before?

1. Multiple accounts at the same company, spun up by different teams (either different departments, regions, operating divisions, or whatever) and eventually they want to consolidate

2. Acquisitions: Company A buys Company B, an admin at Company A takes over AWS account for Company B, then they eventually work on consolidating it down to one account

by etothet6 hours ago|

parent|

[-]

In our case, this is exactly what happened. An acquisition of a company where their AWS accounts that were inherited were no longer needed.

by mixdup5 hours ago|

parent|

[-]

It's such a common case, especially in tech with startups and small software companies getting gobbled up all the time I can't see how you WOULDN'T consider it a possible reason

by etothet8 hours ago|

prev|

[-]

This was a secondary AWS account in use by the company that had been in place for quite some time and that secondary account was just no longer needed. So to consolidate things down, it was deleted. Also at that time, SSO wasn't being used for anything with the company - and they were on a completely different email provider.

I'm not arguing that it was impossible to know the long term outcome here, but it doesn't mean it isn't frustrating. If you've spent any length of time working in AWS, you know that documentation can be difficult to find and parse.

I can certainly understand why the policy exists. What I think should be possible is in these situations to provide proof of ownership of the old email address so it can be released and reused somehow.

by zenoprax8 hours ago|

prev|

[-]

> email addresses are immutable

1. Use "admin@domain.com"

2. Let the domain registration lapse

3. Someone else registers the domain and now can't create an AWS account.

Rare but not impossible.

by otterley7 hours ago|

parent|

[-]

Sure they can. Use any other email address at domain.com to register.

by etothet6 hours ago|

parent|

[-]

Yes. There are solutions to all of these issues, but what often happens is these situations come about through the natural course of companies changing over time - different people managing accounts, different providers, etc. The happy path is easy, but the happy path is rarely the one we find ourselves walking down when we inherit a previously made decision.

by clickety_clack8 hours ago|

prev|

[-]

It’s not hard to imagine a case where maybe there’s 2 offices that had their own separate aws accounts and they closed one.

AWS has been around for quite a while now. It’s also not impossible to believe that there are companies out there that might have moved from aws to gcp or something, and maybe it’s time to move back.

by twentyfiveoh17 hours ago|

prev|

[-]

I did something similar.

When I started, AWS was in its infancy and I was just some guy working on a special project.

Now that same account is bound into an AWS Organization.

AWS Changed. My company changed. the policies change out from under you.

by dec0dedab0de8 hours ago|

prev|

[-]

what if you stopped using AWS for a while, then came back?

by naasking8 hours ago|

prev|

[-]

> And on the flip side I can easily see why not allowing email addresses to be used again is a reasonable security stance, email addresses are immutable and so limiting them only to one identity seems logical.

If they aren't actually deleting the account in the background and so no longer have a record of that e-mail address, then they must allow re-activation of the account tied to that e-mail address using the sign-up process.

by etothet6 hours ago|

parent|

[-]

And in this case, it’s actually less secure for this one user and the account if as a workaround I’m required to create an IAM user for them (even though I can limit their use of the system).