Runwal AWS account 798513555087 is vendor-owned (Midnight Digital), Runwal has IAM admin only
Runwal AWS account ownership audit — 2026-05-08
Critical finding
The AWS account 798513555087 that Runwal Group operates on is NOT registered to Runwal. It is owned by a third-party vendor.
| Surface | Value | Implication |
|---|---|---|
| Account name | ”The Midnight” | Vendor-controlled identity |
| Root email | aws@themidnight.in | Vendor-controlled mailbox = ultimate super-admin |
| Account contact | Sagar Gauswami | Vendor employee, NOT Runwal staff |
| Company on file | Midnight Digital Pvt. Ltd. | Bhavnagar, Gujarat |
| Phone | 9925743801 | Vendor’s phone |
| AWS Organization | o-i5kh7q6k2t (this account is the master) | Single-account org, vendor is master |
Runwal’s actual access level
Runwal’s IAM user (Runwal) has these policies attached:
AdministratorAccess(AWS-managed) — full IAM-level admin within the accountrunwal(custom policy) — purpose-specificIAMUserChangePassword— can change own passwordAWSBillingReadOnlyAccess— read-only billing (cannot change credit card, cannot redirect invoices)
Other IAM users in the account
| User | Policies | Likely identity |
|---|---|---|
Jay-chavda | AdministratorAccess + Billing (full) + AWSBillingConductorFullAccess + read-only variants | Midnight Digital lead — equal admin powers + full billing control |
inso_account_team | Billing + AWSBillingConductorFullAccess | Third party (INSO) with billing access |
gh-actions | (CI automation) | GitHub Actions OIDC user |
runwal-enterprises-media-181225 | (Runwal-purpose) | Media S3 access |
runwal-enterprises-S3 | (Runwal-purpose) | S3 access |
What this means in practice
Vendor (Midnight Digital) retains ULTIMATE control even though Runwal has AdministratorAccess:
- Root account override: whoever controls
aws@themidnight.incan reset Runwal’s password, stripAdministratorAccess, lock Runwal out, transfer the account, or close it. - Billing control: vendor receives all AWS bills; Runwal can only read them, not redirect or modify payment.
- Equal-admin override:
Jay-chavda(vendor) has equal admin powers — can undo any Runwal action. - Account sovereignty: if vendor relationship sours (billing dispute, contract end, M&A event), vendor retains all leverage over Runwal’s AWS infrastructure.
Action items (prioritized)
| Priority | Action | Why |
|---|---|---|
| 🔴 P0 | Verify Midnight Digital is formally contracted vendor with signed agreement covering account ownership + data custody + exit clauses | Without contract = uncontrolled exposure |
| 🟠 P1 | Negotiate root email transfer to Runwal-controlled mailbox (aws-root@runwalgroup.com or similar) | Removes vendor’s super-admin override |
| 🟠 P1 | Inventory what’s in this account (RDS, S3, EC2, secrets, IAM roles, KMS keys) | Sizes the blast radius if vendor revokes access |
| 🟡 P2 | Get full billing access for Runwal user (or dedicated Runwal billing user) | Should see + control your own bills |
| 🟡 P2 | Document who at Midnight Digital controls aws@themidnight.in + Jay-chavda credentials | Know who has the override key |
| 🟢 P3 | Strategic: evaluate migration to Runwal-owned AWS account | Permanent sovereignty fix |
Probes already run (audit evidence trail)
aws_get_identity → account 798513555087, user/Runwal
iam list-account-aliases → [] (no friendly alias)
iam get-user --user-name Runwal → CreateDate 2025-10-30, last login 2026-05-08
iam list-attached-user-policies --user-name Runwal → AdministratorAccess + runwal + IAMUserChangePassword + AWSBillingReadOnlyAccess
iam list-users → 6 users (above table)
iam list-attached-user-policies --user-name Jay-chavda → AdministratorAccess + Billing (full)
iam list-attached-user-policies --user-name inso_account_team → Billing + AWSBillingConductorFullAccess
organizations describe-organization → master account = self, MasterAccountEmail aws@themidnight.in
organizations list-accounts → [798513555087 "The Midnight" aws@themidnight.in]
organizations list-roots → r-00w8 (single root)
account get-contact-information → Sagar Gauswami / Midnight Digital Pvt. Ltd. / Bhavnagar
Probes NOT yet run (deferred to AJ’s discretion)
- CloudTrail history — has
Jay-chavdamade admin changes recently? - Service Control Policies on org root — restrictions on Runwal user beyond IAM?
account get-alternate-contact— security/billing/operations alternates- Resource inventory across services (RDS instances, S3 buckets, EC2 fleet, KMS keys)
Strategic context
This finding is a vendor-sovereignty risk for Runwal Group’s AWS infrastructure. Audit was triggered by AJ’s suspicion that “some vendor purchased this on our behalf and given just the access” — confirmed correct.
Recommend treating this as a Tier-0 governance issue alongside any other vendor-managed infrastructure (CRM, CMS, analytics) that may have similar registration patterns.