AWS support seems to be struggling. I just came to help a new customer who had a rough severance with their previous key engineer. The root account password was documented, but the MFA went to his phone.

We've tried talking to everyone we can, opening tickets, chats, trying to talk to their assigned account rep, etc, no one can remove the MFA. So right now luckily they have other admin accounts, but we straight up can't access their root account. We might have to nuke the entire environment and create a new account which is VERY lame considering they have a complicated and well established AWS account.

You should not have the root account be a human anyway. Make that a special account, secure the credentials and only ever use them when you screw something up really badly.

I would expect the SSO configuration to map the IdP's given email into a role appropriate for the identity. What does "forever attached to the deleted AWS account root user" mean here? What is the mechanism blocking use?

You can always use plus-addressing if your email provider supports that. AWS considers plus-addressed root emails to be unique.

Good for them. It's amazing how pointless most security is when a 10/10 rating to some commodity communication service's support from a phisher is all it will take.

I thought it worked the other way, you can have multiple accounts with the same username as long as they have different passwords

That seems like a GDPR violation waiting to happen. It shouldn't be possible for them to store an email address like that forever and be in compliance.

Help me understand why you would delete your AWS account if the company and email address are unchanged - I can’t see the motivation.

And on the flip side I can easily see why not allowing email addresses to be used again is a reasonable security stance, email addresses are immutable and so limiting them only to one identity seems logical.

Sounds quite frustrating for this user of course but I guess it sounds a bit silly to me.