You’ve got to be very careful with this. If you’re part of an organisation with “all features” you have to assume the organisation account can access your account and all your resources. There’s at least to ways that come to mind:
- they can setup AWS SSO and grant access (even admin type) to any “child” account. As far as I’m aware there is nothing you can do to prevent this from happening or stop it from outside the organisation account
- they can use Stacksets to provision any type of resource that Cloudformation supports. That includes roles and permissions. Again there is no control on this from the “child” account. (though in this case there is nothing stopping you from deleting the created resources, except perhaps SCPs)
