Is AWS any less susceptible to Social Engineering attack of this type?
Specifically--can AWS support staff grant access to AWS accounts, and if so:
what are their criteria for doing so,
and what are the policies in place to ensure those criteria are met,
and how are those policies audited?
As a TechStars alum, my company was granted $50k in AWS credits, which were tied to my AWS account[1]. When I left the Company, the CEO was able to get the credits moved to a different AWS account that was company owned, without my intervention at all, even though I was the only account owner.
The fact that he could have credits moved out of the account without any kind of verification from me[2], should be cause for concern.
[1] I should have created a new Amazon account for a group email
[2] Obviously the credits belong to the company; they weren't mine to use, so I would have authorized the migration.
Amazon (non-AWS) is infamous for being vulnerable to social engineering attacks. I don't know if they've changed their polices more recently but they are (or were) often the first attack vector for social engineering. If you can get access to an Amazon account you can get the last 4 digits of the user's credit card number(s). You can then use that info to reset accounts over the phone with other companies.
