AWS Cloud Operations Blog
AWS Organizations now provides a simple, scalable and more secure way to close your member accounts
Today, you can centrally close member accounts in your AWS organization enabling easier and more efficient account management of your AWS environment. This means you’re able to close member accounts from your organization’s management account without needing to login to each member account individually with root credentials. You can also ensure that only authorized IAM roles and users perform account closures by leveraging Identity and Access Management (IAM) permission policies, and prevent the risk of accidentally closing AWS accounts that are critical in your environment. This capability is available through the AWS Organizations console, AWS Command Line Interface (CLI) and our API/SDK for programmatic use.
The ability to centrally close accounts complements the existing Create Account action, providing you with end-to-end lifecycle management of your member accounts in AWS Organizations. In this blog post, we will use an example use case to demonstrate how you can centrally close AWS accounts in your organization. We will also walk you through both the AWS Organizations console and Command Line Interface (CLI) experience.
Use case overview:
Your company has deployed all your business applications in AWS and has scaled to a total of 300 AWS accounts in a single AWS Organization. You have structured your organization’s Organizational Unit (OU) hierarchy following AWS guidelines for using OUs as depicted in figure 1.
Figure 1: Sample Organization layout
After undergoing a modernization project, you’ve identified a group of legacy accounts that contain the resources of all deprecated software that your team has replaced. Following AWS guidelines, you have moved these accounts to the Suspended OU in your environment and applied Deny-all Service Control Policy (SCP) to ensure no action is allowed in these accounts that are to be deleted. Additionally, some of these legacy accounts were created by ex-employees in your company and the root credentials are not immediately available. Now you need a method to efficiently delete all legacy accounts.
Setting up permissions:
First, you want to define your permissions. In order to prevent IAM principals (i.e., IAM users or roles) in the management account with permissions to close accounts from closing specific accounts in your organization, you can attach an additional policy that explicitly denies closing those accounts. The code snippet below shows an example.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventCloseAccount",
"Effect": "Deny",
"Action": "organizations:CloseAccount",
"Resource": [
"arn:aws:organizations::555555555555:account/o-12345abcdef/123456789012",
"arn:aws:organizations::555555555555:account/o-12345abcdef/123456789014"
]
}
]
}
In the code snippet above, we are using the “Resource” policy element to list all critical AWS accounts that we want to protect from deletion. You can alternatively leverage AWS account tags to avoid listing each account in the policy document. For this approach to work effectively, you need to make sure you tag all critical accounts appropriately. The code snippet below shows an example of a policy that uses account tags to prevent critical accounts from being deleted.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventCloseAccountForTaggedAccts",
"Effect": "Deny",
"Action": "organizations:CloseAccount",
"Resource": "*",
"Condition": {
"StringEquals": {"aws:ResourceTag/AccountType": "Critical"}
}
}
]
}
The policy document above leverages the “aws:ResourceTag” condition key to prevent closing accounts that are tagged with the “AccountType: Critical” key pair. By using the “StringEquals” we ensure that only accounts properly tagged are protected but allow closing of AWS accounts tagged differently or not tagged at all. Whenever using tags in your security model, you need to consider establishing guidelines and controls to make sure that your AWS accounts are always properly tagged. For an introduction on how to use tags for assigning permissions to Organizations resources, including tag enforcement on resource creation please refer to this blog post.
Closing your legacy accounts:
Now that proper permissions are in place, we will proceed with closing the legacy workload accounts in our organization. Using the AWS Organizations console, you need to select each individual account to be closed and select “Close” in the Accounts details page, as shown in figure 2 below:
Figure 2: Close Account in the AWS organizations console
You will then be prompted to confirm the account closure after acknowledging the 90-day closure period, re-opening option and termination transition as depicted in figure 3.
Figure 3: Close account confirmation
If you want to programmatically close your legacy accounts, you can use the Close Account API call through AWS CLI or the AWS SDK. Figure 6 shows a code snippet that accomplishes this task using the AWS CLI.
aws organizations close-account --account-id 555555555555
{
"CloseAccountStatus": {
"AccountId": "555555555555",
"State": "IN_PROGRESS",
"RequestedTimestamp": "2022-03-27T19:51:03.563000-07:00",
"CompletedTimestamp": "2022-03-27T19:51:04.589000-07:00"
}
}
Do note that you can centrally close up to 10% of the number of member accounts in your organization within a 30-day rolling time window, with a maximum of 1000 accounts (for more information about the Close Account quota and rate limits check out our existing quotas documentation).
Centrally closing accounts in your organization has the same effect of closing it through the billing management console using root credentials. You have the opportunity to request the reinstatement of a closed account for a period of 90 days. You can do so by logging in to the account and requesting the account to be re-opened via a Customer Support ticket. After the 90-day period has elapsed, the account is permanently deleted and cannot be reinstated.
There are additional considerations you need to take into account if you manage your multi-account infrastructure using AWS Control Tower. If the AWS accounts you need to decommission were created through Control Tower’s Account Factory or were enrolled to your landing zone using AWS Service Catalog, you will need to unmanage the accounts first before closing them. For more information on how to unmanage these accounts please refer to this documentation page.
Summary
You can now streamline your AWS accounts lifecycle management by centrally closing member accounts that you no longer need in your AWS organization. In this blog post, we’ve shown you how this can be managed. You can use the AWS Organizations console, CLI or API/SDK to efficiently and more securely close the member accounts in your organization, saving you significant overhead in managing these administrative tasks while ensuring resource efficiency and overall security.
For more information on this feature please refer to our documentation page.
About the author
Eric is a Senior Technical Product Manager in the AWS Identity team, working on AWS Organizations service core features. Outside of work, Eric enjoys playing basketball and soccer. Eric holds an MBA degree from MIT Sloan.