Of course, we are all human, we all make mistakes now and again, some big and in this case not so big. What was my cardinal sin? Adding a digit wrong when entering my phone number into my new personal AWS account. I never even noticed, I never had to, what with all the secret keys, MFA set up with an 'Authenticator App', entering my address, my credit card info, my blood type, my relationship status... OK so maybe not the last two, but everything else in order for Amazon to satisfy their obsession to fully owning my identity forever, (in addition to my Amazon account for buying books, etc):
This happened all over a year ago and everything was going as well as can be expected on AWS, considering how entirely involved it is for running any kind of cloud infrastructure. Those who have experience with it know, it basically is the cement as well as the bricks, a real "Kitchen Sink", seriously very intimidating for beginners (it was for me many moons ago, and still is every time I log in).
Anyhow, back to the present, and I decide I no longer need my own AWS account, I have sufficient experience in progress through my development career, access as a user via a corporate account, no need to own my own cloud construction warehouse. So, I attempt to log in, the screenplay plays out as follows;
- [Step 1]; enter root user info > OK,
- [Step 2], several attempts to read the capcha > OK,
- [Step 3] enter root password > OK ,
- [Step 4] Please enter your OTP (One time password), > Erm, where is that?
Ok here I realized it should be sent to my phone, but I have not received any such thing, so then...
- [Step 4] Click for another form of Identification parade if you cant use your OTP > OK,
- [Step 5] We sent you an email to your registered address on your account > OK,
- [Step 6] Email has been verified, please click here for some stranger from far away to call you >
... Calling issue, there is an error with your number ending with: ### please contact customer support!
Right, I can see one digit on the ending is off by 1, so I guess it's my mistake, still can't be so difficult to rectify, after all, ALL the other information on my account is me, my home address, my email, my credit card info, so it's not as if I am pretending to be someone else.. is it? After all, it's my info, and we have quite good rules here in Finland for personal data protection.
However, it is here, that the adventure begins. I open my first Support ticket...
A few hours later, a call (1) from an AWS rep, very thick accent to follow, and an extremely poor connection (definitely calling over a data-line) so I assumed it was due to the rep Working from home. Managed to get some of their speil before explaining my issue, however, the connection was utter 'pants' so asked if they could call back. An hour later call (2), same voice, same bad connection but claiming to be an entirely different person, who proceeded to go through absolutely everything the first person went through, and then validated that it was indeed a phone digit error preventing me access to my AWS throne room. However, they can not simply switch off MFA or reset, they would need me to fill in some "minor details" so they could assess I am not pretending to be an intruder to my own account. "Sure", how hard can it be.
In the next email, I got asked for information to a level that even a bank manager responsible for opening an account may balk at. In order for AWS to 'Even Consider' my case, they require [demand] the following trinkets:
- A signed (AND NOTARIZED!!) affidavit (downloadable),
- A copy of some form of Identification (Drivers License / Passport)
- A utility bill or similar to affirm my personal address.
Well hold your chickens there people, is this an online account access request or an application to join a secret government agency? To me, this is absolutely incredulous, whilst I understand the need for security, my level of AWS account is hobbyist, I clearly am not wielding corporate power, they can see I have no resources on my account, and my monthly bill is a stretch at 3€ a month. Let's not forget where this all started, I missed a digit in my phone number, I didn't break any official secrets act. In addition, this kind of demanded info is a little extraneous, considering its personal data I am supposed to hand over the internet, home address, passport number, I'm sure as I'm a citizen of the EU, there is something in the great GDPR that allows me not to have to [expose] myself our great American Cousins without some degree of guarantee? As for getting a Notary to sign and stamp the provided affidavit, well here in Finland, that means a scheduled visit to the magistrate, we don't have the luxury of an online process at the moment. Well after looking at the local timetable for a Magistrates visit, it's clear the next slot will be September, so it's back to AWS support.
I've sent all the personal info they need plus an un-notarized but digitally signed affidavit and an explanation, because there is a world out there beyond the bubble of the USA that doesn't have a drive-through everything (such as a notary service). I was informed by call(3), and slightly rather overly polite (read: a tad passive-aggressive) rep, that I could explain away the lack of an official stamp on my information.
To date, I received another call from a call(4) rep, that the information was received and they are dealing with it but could I answer some even more questions just to make sure they definitely have the right person (and obviously not some extremely patient but nefarious scammer, who can afford the time and money to break into an empty AWS account), another 30 mins out of my working day to repeat myself, AWS probably need to reassess their customer needs!
So now the jury is out, 4 calls and 5 reps and all the support tickets you can carry later. They are deliberating on whether to unlock my MFA so I can log in and finally bin my entire account, or whether they will covet it forever-more, not allowing me access, whilst still billing me the mysterious 3€ a month for nothing. Must be a grand jury convened, I await with bated breath, and finger on the stop payments button for my card, but I assume this could start off a whole new chain reaction.
This tale, take it or leave it remains open for now, it can serve as a warning or lesson for others. Whilst I do understand the need for protection on one's data, it has to be a sliding scale. For us hobbyists, this is probably a step over the precipice in security, but for resource-rich corporate accounts, it's probably a safety net. In my case, it's rather comical as well as profoundly frustrating, and a little financially taxing as I will have to foot the bill for all those calls from AWS as they are all outside the EU.
Let me know what you think, am I being barer of the obvious, or does my tale ring true, how does this relate to other providers, I don't know, at least (for now), I've never encountered anything like it!