How to Remove and Close Accounts from AWS Organizations
Creating an AWS Account is a straightforward process, but there are instances where you need to completely close an AWS Account, especially when managing AWS Organizations or dealing with sandbox accounts. This guide focuses on the systematic steps to close an AWS Sandbox account as part of the leavers process.
Closing an AWS Sandbox Account Procedure
Step 1: Preparation
1.1 Ensure Backup:
Before initiating the closure, back up all essential data and configurations. This includes but is not limited to:
- Data stored in S3 buckets
- Configuration settings for EC2 instances
- Security group rules
- IAM policies and roles
Communicate the account closure plan with relevant stakeholders to prevent misunderstandings and disruptions to ongoing operations. Provide a checklist of items they should be aware of during the closure process.
Step 2: Log in to the Root Account
2.1 AWS Management Console:
Log in to the AWS Management Console using the credentials of the organization’s management (root) account. Ensure the use of multi-factor authentication (MFA) for enhanced security.
Step 3: Move the Account to a Suspended Organizational Unit (OU)
3.1 Navigate to AWS Organizations:
Access the AWS Organizations service from the AWS Management Console.
3.2 Select the Member Account:
Identify and select the member account slated for closure from the list of accounts in your organization.
3.3 Move to Suspended OU:
If not existing, create a new organizational unit (OU) named “Suspended” and move the selected member account to it. This step restricts actions and enables the use of Service Control Policies (SCPs) for root user actions only. Provide instructions on creating the “Suspended” OU if necessary.
Step 4: Reset the Password of the Root User for the Account to be Closed
4.1 AWS IAM:
Navigate to the IAM service in the AWS Management Console. Select the User: Locate and select the root user of the member account to be closed. Reset Password: Reset the password of the selected user to gain access to the account slated for closure. Ensure the chosen password is strong and secure. If MFA has been enabled, you will need to reset MFA as well.
Step 5: Log in to the Account as the Root User
5.1 AWS Management Console:
Log in again to the AWS Management Console, this time using the credentials of the root user of the member account scheduled for closure. Reiterate the use of MFA.
Step 6: Close the Account
6.1 Navigate to Account Settings:
Go to the top right corner of the AWS Management Console, select “My Account,” and navigate to the account settings page.
6.2 Close Account:
Scroll to the bottom of the page and select the “Close Account” option to initiate the closure process.
6.3 Confirm Account Closure:
Read through the warnings and acknowledgments carefully. Confirm your understanding of the consequences before proceeding with the closure.
6.4 Check for Outstanding Bills:
Before closing, ensure there are no outstanding bills or invoices associated with the account to avoid unexpected charges after closure.
6.5 Email Confirmation:
After initiation, check the account’s associated email for a confirmation from AWS. Confirm the closure via the provided link.
Step 7: Verification
7.1 Verify Account Closure:
After a period (typically 90 days), confirm that the account has been successfully closed and all associated resources have been deleted. This can be done through the AWS Management Console or by verifying a confirmation email.
Step 8: Documentation and Reporting
8.1 Document the Closure:
Document the closure details, including the reason and any relevant information. Use a template or create an outline for effective documentation.
8.2 Inform Stakeholders:
Inform relevant stakeholders of the successful closure of the account. Provide them with documentation for reference.
Q&A: Navigating the Closure of an AWS Account
Q1: Why would I need to close an AWS account, especially a sandbox account?
A1: Closing an AWS account, particularly a sandbox account, is essential for various reasons. In scenarios where employees leave a company, closing their AWS sandbox account ensures data security, prevents unauthorized access, and maintains a streamlined AWS environment.
Q2: Is closing an AWS account a reversible process?
A2: No, closing an AWS account is irreversible. It’s crucial to perform thorough backups and communicate with stakeholders before initiating the closure to avoid unintended consequences.
Q3: How do I prepare for closing an AWS account?
A3: Preparation involves two key steps:
- Ensure Backup: Back up all necessary data and configurations.
- Communication: Communicate the closure plan with relevant stakeholders to prevent disruptions.
Q4: Why move the account to a Suspended Organizational Unit (OU) in AWS Organizations?
A4: Moving the account to a Suspended OU helps restrict actions on the account and allows the use of Service Control Policies (SCPs) to permit only root user actions, enhancing security during the closure process.
Q5: What is the significance of resetting the password of the root user before closure?
A5: Resetting the password provides the necessary access to the AWS account during the closure process. This step ensures a smooth transition while maintaining control over the account.
Q6: How can I confirm the closure of an AWS account?
A6: After initiating the closure, check the email associated with the account for a confirmation from AWS. Following the provided link in the confirmation email is a crucial step to finalize the closure.
Q7: Why is there a verification period after closing an account?
A7: The verification period, typically around 90 days, allows AWS to ensure the successful closure of the account and the deletion of all associated resources. It’s a safety measure to confirm the account’s closure.
Q8: What documentation is recommended after closing an AWS account?
A8: Document the closure process, including the reason for closure and any pertinent details. This documentation serves as a reference and helps in maintaining a transparent record of actions taken.
Q9: How can I make the closure process seamless for stakeholders?
A9: Keep stakeholders informed throughout the closure process. Once the account is successfully closed, promptly inform relevant stakeholders to ensure everyone is on the same page.
Q10: Any final tips for closing an AWS account without disruptions?
A10: Double-check dependencies, communicate effectively, and ensure thorough documentation. This will help prevent data loss and service disruptions, making the closure process efficient and secure.