AWS MFA Nightmare: Ex-Employee’s Phone Blocks Access, No IAM, Support Denies Help
Posted by TypicalLeopard7932@reddit | sysadmin | View on Reddit | 65 comments
Hi all,
We’re in a tough spot and could use some advice. Our AWS account is inaccessible because the Multi-Factor Authentication (MFA) is linked to a phone number belonging to a former employee who was terminated for misconduct. They’re uncooperative and won’t help transfer or disable the MFA. To make matters worse, we don’t have an IAM account set up, so we can’t manage this internally.
We contacted AWS support, but their response was unhelpful. They said:
They pointed us to the AWS Shared Responsibility Model, but that doesn’t solve our issue. The account username is ****************, and we urgently need to regain access to it.
Has anyone dealt with a similar situation? Are there any workarounds to reset MFA or bypass this requirement? Maybe escalating to a different AWS support tier or providing specific verification documents? We don’t have a paid support plan, but we’re willing to explore options.
Any advice or experiences would be greatly appreciated! I appreciate any help you can provide.
TheLastRaysFan@reddit
This is no longer an IT issue.
You need to bring in legal/a lawyer.
ExceptionEX@reddit
This isn't a legal issue, as no one in this situation is legally obligated to provide them assistance.
Former employee can't be compelled to help them.
AWS has no legal obligation to help them other then pointing them to the policies and procedures they should have followed.
What's the lawyer for?
etzel1200@reddit
Whether AWS has a legal obligation is a bit murky. Really they need to find a way to show AWS they own that account. That’s what a TAM is for, but maybe they’re too small.
ExceptionEX@reddit
Well honestly AWS provides (albeit) shitty ways of handling this, but not following best practices, and not setting up any secondary methods, nor paying for support. Arguing they have any further legal duty to help them is a stretch, and if you want to try and hire a lawyer to try to compell one of the largest companies in the world to let you back in an account you are locked out of by your own fault you might as well just take a 10th of that and pay the guy who can let you in, and do it in hours not months.
CptZaphodB@reddit
The lawyer is to sue the former employee for the account that they're holding hostage. It's not to target Amazon
ExceptionEX@reddit
Which would be pointless, you can read the rest of the chain to see why attempting to sue the employee is a fools errand.
Also, my reply was directly in response to.
My point was, it isn't murky, Amazon doesn't have a legal obligation.
Just pay the guy, get it done tomorrow, or spend months chasing an imaginary reason, that won't stick.
CptUnderpants-@reddit
Past cases would disagree. People have been convicted for failing to provide credentials in the past after being terminated for misconduct.
demonseed-elite@reddit
"Oh sorry, THAT phone got broken. My new phone doesn't have the MFA set up on it. So sorry."
CptUnderpants-@reddit
It's linked to the phone number, not to the phone according to OP.
I don't get why people are defending this person. They were terminated for misconduct and has refused to offboard the MFA.
ExceptionEX@reddit
because you don't get to terminate someone, then after the fact tell them to help you. If your daft enough to fire the only guy who has access to your AWS, for misconduct, what the hell is proper conduct look like there?
CptUnderpants-@reddit
I've seen many circumstances where management didn't know about misconduct and poor business continuity (such as a lack of break-glass accounts) until they had someone audit the IT. If handled poorly, I can see how an organisation can end up in this situation while trying to actually get things up to standard.
We don't know the nature of the misconduct. It could be anything from manufactured edge-cases designed to justify getting rid of them through to things which could be referred to police. And we won't know if the company follows best practice because it is inappropriate to comment on such things, especially if there are pending cases.
I think many people here are assuming the fired employee likely did nothing wrong. We should be providing council to OP that is appropriate for most circumstances based on what they are able to tell us.
That advice from me is still: talk to a lawyer, preferably someone with expertise in the area of IP, employment law, and cybercrime. That will give OP the most options.
ExceptionEX@reddit
I'm not taking an opinion on the behavior of the employee, that doesn't change the fact that they are required to manage their affairs.
If the employee wasn't doing their job and was let go because if it, that is fine, that doesn't change the obligation that the employee then when no longer employed act to the benefit of the former employer without compensation.
So sure, of course if they are considering taking legal action talk to a lawyer, but my question is what legal action do they think they have a leg to stand on?
This is all made moot by the fact they need access now, and not in 4 months to a year when this is decided in the courts.
Unable-Entrance3110@reddit
Because we don't know the situation and the problem is completely self-inflicted.
Had they done any one of dozens of things ahead of time, this wouldn't be a problem.
CptUnderpants-@reddit
It could be as simple as they didn't know the situation until outside expertise was brought in and this situation eventuated because they were trying to get things up to standard.
ccatlett1984@reddit
Time to pay for SMS spoofing.
Microsoft has a documented "get back in" process, it's painful (as it should be), but you prove ownership via billing, etc. and you get back in.
Bradddtheimpaler@reddit
Convicted of what, exactly?
CptUnderpants-@reddit
One example: California Penal Code Sec. 502(c)(5) which criminalizes taking an action that “knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.”
ExceptionEX@reddit
Typically those cases revolved around users who took actions to knowingly lock people out of a system, like changing the password to a system before leaving.
In this case there was no malicious actions on the end of the former employee, they didn't change a password or do anything to deny the company access.
They company in this case failed to follow best practices and did not set up the suggested method to manage their accounts, and didn't have a secondary account.
CptUnderpants-@reddit
Seems pretty clear to me that they're denying access to a computer system by not cooperating.
See the case of Terry Childs who didn't go out of their way, instead just withheld passwords. In this case, they're withholding the MFA code.
ExceptionEX@reddit
Probably pretty good you arent a judge then, you can't be compelled to provide information from personal device, or your person when there was no criminal intent to gain it.
The obligation to maintain, provide, or assist in access to a system after termination is not a former employees obligation.
They can freely delete the application from their phone. If that harms the company that isn't the former employees fault, but the failure to plan on the companies fault.
In nearly all cases where a former employee has been found at fault, it hinges on the employee taking action to intentionally denying the employer access to a system in and intentional way. Including childs who intentionally changed passwords, by passed audit systems and refused to provide access WHILE STILL EMPLOYED.
CptUnderpants-@reddit
No need to be rude.
I still disagree, but this is why lawyers are at least worth consulting in this circumstance.
From a civil perspective, this could be tortuous interference.
It also depends greatly on how recently the terminal for misconduct was, if this has occured because they refused to participate in offboarding proceedings, that could be an issue.
Another worth considering is if placing the MFA on a personal device is effectively placing intellectual property of the business in your personal possession and the refusing to return it when the employment is terminated.
ExceptionEX@reddit
The former employee is just that, they have no obligation to insure business continuity to parties they are no longer a party to. The irony is, them firing them, is what freed the person from any of these obligations.
This is really an amazing stretch, seriously, MFA is an authentication method, one the company didn't write, nor own, or control and is no way even possibly considered the companies intellectual property.
If anything the MFA is owned by Amazon, and they are in control of where that MFA code is being sent, and also in control of the authenticating it.
CptUnderpants-@reddit
So, to be clear, you believe that if a business fires an employee for misconduct they have no obligation to hand over any intellectual property or passwords during offboarding?
ExceptionEX@reddit
Firstly, property yes, but nothing discussed here is intellectual property.
Nothing else, unless the employment contract that clearly has terms that require it.
A three judge panel in the tenth circuit in 2024 made this explicitly clear, that an employer must make it part of an employment agreement stating that the employee has an obligation to turn over passwords on termination.
So even if they had such a clearly written agreement, this likely wouldn't cover MFA, because it isn't static, and not available at the time of termination.
In short, the company is falling short of its obligation to manage it's resources and is not the responsibility of a former employee to act on their behalf after the fact.
mrlinkwii@reddit
and in terms of US and most other countries the said MFA shouldnt be on the user personal device to begin with
Public_Fucking_Media@reddit
Who is an authorized user? Per the MFA, it's the terminated employee... It's messy.
RoaringRiley@reddit
To bully/threaten/harass the employee into relenting, probably.
anotherucfstudent@reddit
This would backfire on them hard. Imagine being the ex-employee, I’d laugh my ass off
rswwalker@reddit
All they have to say is, sorry man, I deleted all my company authentication methods the day you fired me, for security reasons.
bloodpriestt@reddit
Yeah that’s how I took it.
Also: bribe
Unable-Entrance3110@reddit
Agree. If I was a vindictive admin who was fired, I would immediately wipe my personal device. Not my fault if I was the only one left with access.
RatRaceRunner@reddit
Negotiation
TheFluffiestRedditor@reddit
Yup. The ex employer is holding company resources to ransom, which can be classed as a criminal act.
ShadowSlayer1441@reddit
If they say, pay me x or I won't give it sure, that's ransom. But if they just don't want to deal with or otherwise interact with the OP's company after being fired, they can hardly be compelled to resend the MFA message or even pick up their phone when OP calls etc.
TheFluffiestRedditor@reddit
There was misconduct prior to the termiation. I'd say that ex-employee has a vested interest in not responding, thus the thought of using a lawyer and potential court order to enforce it.
I did also see OP not having an AWS support contract, that'd be my other next step, along with seeking legal advice (not from reddit)
nuttertools@reddit
Why can’t you just follow the standard MFA reset instructions for root accounts? If the former employee created a personal account and deployed company resources to it you need legal to intervene, the company never possesses these resources and data. If it is a company account you should be able to break in fairly easily with just access to the email address. Amazon does some black box checking so getting stuck in a loop and having to pay for support isn’t uncommon but AWS root accounts are just standard Amazon accounts with enhanced access policies to the AWS product.
sparkyflashy@reddit
Involve your company’s legal counsel to demand assistance from the fired employee.
Pump_9@reddit
Just goes to show don't take IAM lightly. Every company needs to build up an IAM team.
Unable-Entrance3110@reddit
I am not familiar with AWS at all, but the first thing I did when my company needed to set up an S3 bucket was to create a break-glass account tied to a physical TOTP device. The TOTP token and password are in an envelope which is in the CFO's safe. That account is the global admin under which the account was opened.
This is pretty straight-forward stuff and would have been instantly flagged on an audit prior to terminating the employee.
AuroraFireflash@reddit
I'm reminded of the adage "two is one, one is none" here and would have a 2nd option.
blbd@reddit
Or Amazon could make their system cleaner so that normal same humans could manage it without it turning itself into an unholy mess.
Layer7Admin@reddit
There isn't just a work around to mfa. If there was it would be pointless.
As to a next step, offer your previous employee $1,000 to get you un the account.
Boring_Cat1628@reddit
That is if said former employee is even monitoring their messages/emails. Which is highly unlikely.
OP is SOL not knowing how to properly setup MFA up to begin with.
And $1k isn't going to cut it. Maybe 1 BTC will cut it. or 2 or 3.
TangerineTomato666@reddit
XMR
alarmologist@reddit
Well, the company can just sue him if he doesn't give it to them, and he could likely go to jail as well, so the $1000 seems like a pretty good deal. Hell, $0 sounds better than civil and criminal court costs. Withholding passwords can and has gotten people convicted of crimes, e.g. Terry Childs. It may vary from state to state, but it can definitely get you criminal charges in California and Oregon; and I would guess that by now, every state in the US.
Terry Childs was sentenced under this law for withholding passwords. If you make somebody else's system not accessible, that can get you charged, it doesn't matter how you do it.
California Penal Code Sec. 502(c)(5)) "knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network."
Public_Fucking_Media@reddit
The only authorized user is the ex employee, that isn't the same thing as them denying that authorization to someone else
AcidBuuurn@reddit
Lots of places you can reset the MFA with the email or another admin account.
ExceptionEX@reddit
That would be the IAM account they didn't set up.
Not having a secondary admin account or an IAM account is begging for trouble, and now they have it.
brandonsart08@reddit
An IAM account won't get them access to the root user/account owner.
ExceptionEX@reddit
But would assist in the automated process of verification, it isn't a get out jail free card but a piece of the puzzle.
Nietechz@reddit
The idea behind MFA is make the life of miserable. So, that's a good thing.
You should focus to get the recovery info. If you don't have that, well, you're done.
ek00992@reddit
We went through this shit show, too.
Fortunately, our “ex-employee” was a disgruntled founder and primary sysadmin. When o took over after we found out he was letting thousands burn on aws just to fuck over the ceo, we had to spend a solid week with lawyers and secure every account he had.
Shit is still ongoing months later. We got lucky with AWS. He disabled MFA, and we could use his corporate email to transfer the root to another internal email.
Admin/root should use hardware MFA owned by the company. Accounts should always be corporate accounts.
The ex-employee holds the cards here. As someone else said, offer them some cash for it. It's the best you can do.
mrlinkwii@reddit
depending on the jurisdiction they dont have to
cant you just sort this out with your AWS rep
pppjurac@reddit
It is above your pay and is what lawyers are paid for.
Boss/CEO should get lawyers involved.
Outside-After@reddit
There’s a best practice guide for this reason ie against the root account, strong password and locking that away.
jdptechnc@reddit
Post this in /r/AWS. That sub is monitored by AWS employees who sometimes offer help with stuff like this.
Pravobzen@reddit
This probably isn't the org's only "misconfiguration".
Critical-Variety9479@reddit
I've managed to do this in the past. It took multiple calls to AWS support. Oh so many calls. They're particularly rigid on this for good reasons. You just need to be persistent, don't get aggravated with the AWS staff, but certainly direct.
Helpjuice@reddit
Your only path forward would be to work with AWS to get the account access resetup. If that means you need to engage your lawyers, HR, finance, and C-Suite to prove ownership of the account and company do so.
Someone from the company should be have proof of payment since the account was setup. The email should be setup to go to a corporate account so you should have access to all of those emails too.
If the CEO and the C-Suite needs to travel and bring proof of ownership with their articles of incorporation, IDs, and other required paperwork out to HQ2, HQ1, or other official AWS site to talk to someone in person to get things sorted, then they need to do that. The burden of proof of ownership is 100% with your company's leadership and is no longer just an IT issues to resolve.
punkwalrus@reddit
I recall this very problem at a former company and AWS was willing to help. The base root account was MFA to an ex employee, and we didn't even contact him. We just sorted it out with our AWS account rep.
ExceptionEX@reddit
That was likely before Amazon gutted the reps, getting quality service from anyone much a rep at Amazon is like hitting the lotto.
etzel1200@reddit
Depends on size.
ExceptionEX@reddit
You certainly aren't wrong, but they don't have an IAM account and a single person who has admin rights, with no paid support. I'll go out on a limb here and guess they aren't big enough.
ExceptionEX@reddit
Fastest path is to pay the former employee a consulting rate. This path may taste bad but you can likely get it resolved before you ever get to right people in Amazon.
Public_Fucking_Media@reddit
Ouch. That's gonna be an expensive lesson. Your fastest way is probably to pay the ex employee for access and he probably knows he has you over a barrel.