How to Change the AWS Account Email for an AWS Organizations Account

ACM.415 Can’t change the name of the AWS Organizations role or duplicate emails, so change the email, close and create a new account

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: IAM | Deploying a Static Website | AWS Organizations

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post, I took a look what happens when you delete a principal referenced in a policy on AWS.

If You Delete and Redeploy a Principal Referenced in an AWS Policy, Will Your Policy Still Work?

ACM.414 Will your CloudFormation stack update the policy if you redeploy it?

medium.com

Before I deployed all my accounts, I realized that one of my accounts doesn’t have the naming convention I want for the AWS Organizations administration role. That’s because I did some renaming to support environments in a multi-account AWS Organization.

Different administrators will have access to administer different environments, and I want to make the role names consistent so it’s easier to automate and remember them.

Updates to Root Templates and Commands

ACM.411 Adding permissions and aligning with naming convention changes to include the environment

medium.com

Well, you can’t rename the AWS Organizations role, so I have to close the account and create a new one with the correct role.

The problem with that is the email associated with the existing account is the one I want to use with the new account — and you can’t have the same email for two different accounts.

That means I need to login as the root user for the AWS account I want to close and change the email.

In order to do that, I first need to remove my service control policy (SCP) that prevents logging in as the root user.

Root OU Service Control Policies

ACM.170 Secure your organization — before — not after- you start creating new accounts

medium.com

That’s why I set up my organization to apply that to the management node and I want to have my Suspended OU outside of that. I can move the account to the Suspended OU which allows logging in as the root user for the account. Then I can change the email. Then I can close the account.

I head over to the login page and enter the root email address for the account:

aws.amazon.com should work. If it’s not, try console.aws.amazon.com.

Click Forgot password:

You’ll get an email at the root email address. Click the link and change the password.

Log into the account with the email address and new password on the screens above.

Due to my policies, I must use MFA for any actions except adding MFA. For the root user head over to the Account menu on the top right and click Security credentials.

Here’s where you can click Assign MFA to set the root user MFA device.

Click Assign MFA.

Select and assign an MFA device.

Sign out.

Log back in using the above steps and provide your MFA when requested.

Head back over to the account menu again and click on Account.

Click Edit in the box with the account information that includes the primary account email.

Click Edit under email.

Specify the new email.

Get the code sent to your email and enter it here:

When it works you’ll get a succeeded message. Note that I copied and pasted the code and it told me the code was invalid. When I typed the code it worked.

To avoid confusion, you might opt to change the account name as well.

Alright, now we have removed the email so we have two options.

Close the account from within AWS Organizations. It will take 90 days for the account to drop off.
Enter a credit card now on the billing screen in this account. Then you can remove the account completely.

Painful? Yes.

Why can’t we just somehow change the email or the role if we are the owners of the organization that created the account? I don’t really understand that. You’ll need to ask AWS and provide any feedback. I’m sure they have reasons.

Now I can create a new account with the email I previously used for this account.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab

Summarize

How to Change the AWS Account Email for an AWS Organizations Account

ACM.415 Can’t change the name of the AWS Organizations role or duplicate emails, so change the email, close and create a new account

If You Delete and Redeploy a Principal Referenced in an AWS Policy, Will Your Policy Still Work?

ACM.414 Will your CloudFormation stack update the policy if you redeploy it?

Updates to Root Templates and Commands

ACM.411 Adding permissions and aligning with naming convention changes to include the environment

Root OU Service Control Policies

ACM.170 Secure your organization — before — not after- you start creating new accounts