最近遇到一個相當詭異的 AWS 帳戶問題。我某天需要一些特殊權限,要登入 root account 時,但發現裡面是一個全新的帳戶,連 account id 都跟原本不一樣。而這樣的情形在某一次要登入時突然發生,之後也都會進去這個莫名其妙的全新 account 。怪了,我之前的那個 account 呢? 難道 AWS account id 會變嗎?
仔細一看,並不是 account id 改變,而是我進入到一個另一個帳戶的 root account 了。我仔細想想,如果可以直接侵入其他人的 root account 將會是很大的漏洞,理論上 AWS 又不太可能發生這種事。害我陷入茫然。後來發現,原來這個 account 也是我自己的,但沒印象什麼時候創建的。
AWS 登入機制
如果要在 AWS console 登入的話,有兩種方式。一種是用 root account email ,另一種是使用 account id + IAM user name + IAM user password 。理論上兩種登入方式進去之後會看到同一組 account id 。
但我這次遇到的情況很奇怪。我用 IAM User 登入是很順利的,而之前用 root account 登入也是很順利的登入到同個帳戶。
但有一天要用 root account 登入時,明明是用了關聯到 root account 的 email 但是卻直接進到別的 AWS 帳戶,我就大吃一驚,怎麼會這樣。
後來思考一下,我最近有沒有做什麼 AWS 帳戶相關的事情。想到我之前在 Amazon.com 有改過 email ,這導致我用 root account 登入的信箱,實際上跟之前用的不同。可能是 Amazon.com 跟 AWS 帳戶綁定的系統出了一點問題。導致現在內部出現了兩組 AWS 帳戶,共用同一個 email 。我目前只能用改過的信箱,登入其中一個的 root account 。原本的第一個 Account 的 root user 就再也找不到方法登入了。
我覺得這有點近似於 bug ,應該在改 email 的時候要跳出錯誤,說不允許改跟別人一樣的 email 才對。竟然在 amazon.com 改了 email 之後,root account email 沒有覆蓋過去。 Support ticket 開出去後,客服人員叫我改信箱試試看,避免兩個帳戶撞信箱,就可以解了。仔細想想後,這也不是安全性的問題,比較像是兩個帳戶使用了同一個 email 之後,登入時的資料錯亂問題。
Hello, I'm very sorry about the difficulty you've been having with your AWS account. After some investigation, I've found that you have two AWS accounts related to the email address that you're writing from. When you have two accounts related to the same email address, it's possible to sign in to both, but each account has its own password. This can make it difficult to navigate between the two and keep track of your billing and resources. I suggest that you sign in to your account and change the email address to one that is currently not associated with another AWS or Amazon.com account. This will help you differentiate the two accounts. Important: If your AWS account and Amazon.com retail account share the same sign-in information, updating the root user credentials (including the password) for one of the accounts changes information on the other account. The other account you access when logging in with the Root user login details, you can change the email address, once it is changed you will be able to access this account via the Root user credentials. If you need any more help, or you're having trouble resetting your password, feel free to respond to this case or use the "Phone" button. Someone will contact you soon to help you through this process. We value your feedback. Please share your experience by rating this and other correspondences in the AWS Support Center. You can rate a correspondence by selecting the stars in the top right corner of the correspondence. Best regards, Cameron F. Amazon Web Services
Leave a Reply