Streamlining AWS Organizations Cleanup Strategies

AWS Organizations provides capabilities for AWS customers to centrally manage accounts in their multi-account environment. As the business landscape evolves, customers may need to close multiple AWS accounts or an entire organization. This could take place during mergers and acquisitions, to support cleanup efforts which reduce cost from unused resources, or decommissioning a venture or an application. In this blog post, we will cover best practices for planning your account closure strategy, including how to determine which accounts to close, how to protect accounts from unintended closure, how to navigate closure quota limits and post-closure wait times.

Step 1: Things to consider when identifying accounts for closure
Efficiently closing unused accounts can help reduce costs, enhance security, and streamline operations. To ensure that you make informed decisions about which AWS accounts to close, we recommend identifying accounts that have little account spend, analyzing account activity by looking at sign-in events and API activity in the CloudTrail logs, assessing account resource usage using the account bill, and evaluating business value of the account.

You can follow these steps when signed into the Organizations management account:

1. Create an inventory of all member accounts in an organization by following the use AWS Organizations to get a comprehensive list of all accounts documentation.
2. Identify accounts that have little to no activity by filtering for account spend. We recommend using $100 as the maximum spend threshold but you can adjust it based on the account usage patterns in your organization. You can leverage the provided Lambda code to create a list of AWS accounts within your organization that have incurred less than $100 in charges for three consecutive months. To set up the Lambda function, you will need to follow these steps:
   • Create an AWS Lambda function using the provided example code.
   • Configure the following permissions for the Lambda function:
     • Trust policy: This policy defines which AWS services or principals can assume the role associated with the Lambda function.
     • Inline policy: This policy defines the permissions required by the Lambda function to access billing data. Replace <Account-Id> with your AWS account ID and <LambdaFunctionName> with the name of your Lambda function.
     • Once the Lambda function and necessary permissions are set up, you can invoke the function to generate the list of accounts meeting the specified criteria (less than $100 in charges for three consecutive months).
3. Next, check each account against the IAM Access Analyzer unused access findings dashboard to identify if the account also falls under the “Accounts with the most active findings for unused access” category. IAM Access Analyzer can help surface accounts with the most unused IAM principals over a period of time. This data will help you prioritize accounts for closure and identify which accounts have unnecessary permissions.

Figure 1: Accounts with most active findings for unused access shown from AWS IAM Access Analyzer console.

4. Identify dependencies and business value by consulting stakeholders or primary contacts listed on the accounts you collected in the previous steps. It’s a best practice to ensure stakeholders and account owners are aware of potential account closures (although you can re-open accounts within 90 days of closure if needed). You can also review AWS services active in an account as an indicator of business value. For example, accounts with S3 usage may store important data that you may need to backup before the closure. Use the following steps to collect additional data about specific services active in accounts:

• • Review account activity by analyzing API calls using AWS CloudTrail logs to identify applications using resources in the account. You can also use AWS CloudTrail events to track when users last signed in to the AWS Management Console.
  • Evaluate resource usage by going to AWS billing and cost management > Bills. On the Bills page, under Charges by service, click the plus (+) icon to expand the AWS Region where the service is located. 

Figure 2: AWS Billing and Cost management console showing charges by service

Step 2: Protections you can provide to prevent undesired closure
Before you start closing multiple accounts in your organization, we recommend protecting all important accounts from accidental closure to avoid any business disruption. You can use the following measures to protect your important accounts from accidental closure:

1. Employ a combination of IAM permissions boundary policy and service control policy (SCP) to restrict account closure. We note both, because SCPs do not impact actions in the management accounts. To protect member accounts from closure by a management account, you will need to attach the same policy to IAM principals or use permissions boundary in the management account. In the policy attached to IAM principals in the management account, you can restrict closure of specific (or all) member account(s). The following policy denies account closures from the account or the organization management account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "account:CloseAccount",
                "organizations:CloseAccount"
                ],
            "Resource": "*"
        }
    ]
}

You can specify a list of accounts you want to protect from closure by listing the arn in the Resource element or by using the aws:ResourceTag tag global condition key in your policy. For examples, see prevent member accounts listed in this policy from getting closed and prevent member accounts with tags from getting closed .

2. Utilize Suspended Organization Unit (OU) and restrict CloseAccount API usage only for accounts within this OU. Review our recommendations for organizing your AWS environment using multiple accounts here.

3. Back up your data and workloads before closing accounts to avoid undesired content deletion using AWS services such as AWS Backup. You should also regularly test your recovery procedures to ensure you can meet your business objectives if you need to restore your backups. This paper covers how to implement backup and recovery approaches for cloud native, hybrid and on-premises applications, as well as covering how many different AWS services can be backed up and restored.

4. AWS closure process provides several other safeguards against undesired impact of unintentional account closure that complements closure protection and backup strategies outlined above:

• • Closure requirements and quotas prevent from accidental closure of large number of accounts. For a standalone AWS account or an AWS Organizations management account, closure can be initiated through the AWS Management Console using the root user. Additionally, to prevent accidental bulk closure of member accounts, you cannot close more than 10% of the accounts in your organization within a 30-day period. For example, if you have 500 member accounts, you can close up to 50 accounts.
  • If you accidentally closed an account, you can reopen your closed accounts within 90 days post-closure period to gain access to your content. AWS will start removing resources and data and permanently closing the account after the 90-day post closure period has ended. The AWS Account closure process is illustrated below.

Figure 3: AWS account closure process

Step 3: Use AWS Organizations management account to close member accounts at scale
Before you start closing accounts, you should be aware of the service limits and quotas. You can close 10% of member accounts in an organization, with a maximum of 1000 within a rolling 30-day period. The current published quotas are:

• < 100 accounts – You can close up to 10 member accounts
• 100 – 10,000 accounts – You can close up to 10% of your member accounts
• > 10,000 accounts – You can close up to 1000 member accounts

Note: For the latest information on quotas, see Quotas for AWS Organizations.

You can either close the member accounts programmatically or via console from the your organization’s management account. Individual accounts can be closed from their console as well as using root user – these closures will not count against your close account quota. We recommend using AWS Organizations management account to close multiple accounts.

To close multiple accounts programmatically, create a Lambda function with the example code along with a new role with following permissions in the management account:

• Trust policy: This policy defines which AWS services or principals can assume the role associated with the Lambda function.
• Inline policy: This policy defines the permissions required by the Lambda function to access billing data. Replace <Account-Id> with your AWS account ID and <LambdaFunctionName> with the name of your Lambda function.

Step 4: Confirm account closure
You will receive the account closure notification to the root email address of the account. Additionally, any closed member account will display a SUSPENDED label next to its account name in the AWS Organizations console.

You can also use AWS CloudTrail to track when an AWS account was closed and identify when the 90-days post-closure period ends:

1. Sign in to the AWS Organizations management account AWS Management Console.
2. Navigate to the “CloudTrail” service.
3. In the CloudTrail dashboard, select the appropriate trail that logs AWS account activity.
4. Use the filters to search for events related to account closure. Look for events with the action “CloseAccountResult” or any related activities that indicate account closure.
5. Review the timestamp of these events to determine when the account was closed.

Figure 4: AWS CloudTrail console showing CloseAccount API calls in a given time frame

Step 5: Close your management account (if needed)

If you are closing an entire organization, you can close your management account only after you closed or removed all member accounts, otherwise the management account closure will fail. After you closed all member accounts, you can proceed with closing the management account in your organization from the accounts console. Please note, you will need to sign in as a root user in order to close your management account.

Conclusion

In this post, we covered best practices for an effective strategy to close multiple accounts in an organization. By following the outlined steps, organizations can optimize costs, enhance security, and streamline operations. Key considerations when closing multiple accounts in an organization include: prioritizing accounts based on activity and business value, implementing safeguards to prevent unintended closures, leveraging automation for efficiency, and ensuring proper backup.

About the Author