
Ask HN: How does your company/organization handle cloud account ownership? - ask-hn
For example, with both AWS and GCP there exists a &quot;root&quot; account.<p>Do a single or multiple people retain control of this account?<p>Generally one should avoid using the root account, but there are situations when you must[1][2]<p>So if you limit access to this account to an individual and they take actions to secure the account (eg, random password, multi-factor authentication), what happens if they get hit by a bus[3]? get hacked? or lose&#x2F;forget their credentials[4]?<p>To mitigate the bus and forgetfulness factors, you could provide ownership to another individual. But that increases your attack surface to hackers and to leaking credentials.<p>On a related note, system for permissions[5][6] are in place to delegate access to individual or groups of accounts to take actions on a project. But those projects&#x2F;resources still need to be owned by some account.<p>Does your company&#x2F;organization place ownership of company projects under a single account? Or a hierarchy of accounts? How is the latter managed?<p>[1] http:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;general&#x2F;latest&#x2F;gr&#x2F;aws_tasks-that-require-root.html<p>[2] Or for GCP, creating a project that should be owned by the company
    https:&#x2F;&#x2F;cloud.google.com&#x2F;docs&#x2F;enterprise&#x2F;best-practices-for-enterprise-organizations#use_projects_to_designate_ownership_of_resources<p>[3] https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Bus_factor<p>[4] Account recovery is a vector for attack especially by social engineering, who overseas recovery?<p>[5] https:&#x2F;&#x2F;aws.amazon.com&#x2F;iam&#x2F;<p>[6] https:&#x2F;&#x2F;cloud.google.com&#x2F;iam&#x2F;
======
oblib
I'm just a small one man operation but since I've been doing this, for about
20 years now, I have always put account ownership of 3rd party services in the
client's name and informed them of any updates that needed to be made to that
info while I managed those accounts.

The idea behind it is they can fire me anytime they want and not have to worry
about me hijacking their data.

As part of this I direct the billing for all 3rd party services to them from
the very start. When clients have decided to move on I give them everything
they need and ask for, even if they owe me money.

I work with whomever they are using to make it easy for them and try to be as
helpful as possible. I won't do their job for them but I will provide with
what they need if I have it.

As far as code I write for them, that is owned by those who pay me to write
it. Again, I make that clear from the start. Personally, I think it's highly
unethical to do otherwise.

If you're offering your software as a service that's a different issue but
when you're creating custom apps just for them you need to make it so they can
continue on if you get hit by a bus and can't continue on.

I have changed how I create apps over the years to make it easier for clients
to move away from me when they want. I have some that have been with me for
over 15 years now. Some that have left and come back, and some that never
looked back. But none will say I hindered them when they left. They will all
say I helped them with whatever they needed and made it as easy as possible.

From a legal standpoint I want to be on solid ground from the beginning. I
don't want any client to be able to say I hindered their ability to do
business, and none ever has.

