AWS Organizations Now Supports Self-Service Removal of Accounts from an Organization
August 24, 2020: We’ve updated this post to reflect changes to the requirements for removing an account from an organization.
Today, AWS Organizations made it easier for you to remove AWS accounts from an organization. You can remove accounts from an organization without requiring assistance from AWS Support, and the accounts you remove can operate as standalone accounts or be invited to join another organization. For example, you could remove graduating students’ AWS accounts from your organization to become standalone accounts or move accounts into another organization after an acquisition.
In this blog post, I explain the information and permissions required to remove accounts from an organization, and then I demonstrate how to remove an account from an organization.
Information and permissions required to remove accounts from an organization
In order to remove an AWS account from an organization, you must have permission to do so. To verify that your AWS Identity and Access Management (IAM) user or role has the required permissions to remove an account from an organization, navigate to the IAM console. Though you also can remove an account from your organization after signing in as the root user, AWS recommends you follow IAM best practices and use an IAM user or role instead.
To remove an AWS account from an organization, your IAM user or role must have the following permissions:
In order for an AWS account in an organization to be removed and become a standalone account, the account must have the following:
- Contact information
- A valid payment method, such as a credit card
- A verified phone number
- A selected support plan option
In certain situations, you may need to update some of this required information for the AWS account you want to remove and the Organizations console walks you through the steps to update it. If you need to update the payment method for the AWS account, the IAM user or role performing the action must have the following permissions:
For a complete list of required permissions, steps to remove an account from an organization, and important information applicable to programmatically created accounts in Organizations, see Removing a Member Account from Your Organization.
How to remove an AWS account from an organization
Let’s say that I need to remove some students’ AWS accounts from one of my university’s organizations because the students are graduating and want to continue using their AWS accounts independently of the organization.
To remove these student accounts from the organization:
- I navigate to the Organizations console, choose the accounts that I want to remove, and choose Remove accounts.
- I confirm that I want to remove these accounts by choosing Remove.
- The accounts for
Richard Roealready had all of the information required to become standalone accounts and are removed from the organization. The accounts that require additional information to become standalone accounts show a status of Remove failed. In this example, I must complete the information for the
Carlos Salazaraccounts before I can remove them.
I will work on the
Jane Doe and
Carlos Salazar accounts one at a time. To see the sign-in options for the
Jane Doe account, I choose Sign-in options.
- I want the students to provide their additional required information so that their accounts can become standalone accounts. To allow Jane, the student who owns the
Jane Doeaccount, to sign in to her account and provide the missing information, I choose Copy link and email the link to Jane.
To complete this process for the
Carlos Salazar account, I return to the account list on the previous page and choose Sign-in options for the
Carlos Salazar account. I email Carlos, the owner of the
Carlos Salazar account, a self-service account removal link. Both account owners follow the same process to remove their accounts from the organization.
- After receiving the email from me with the sign-in link, Jane clicks the link to sign in to her
Jane Doeaccount. After signing in, Jane provides and submits the information that is required to make her account a standalone account. Jane then is taken to the Organizations console where she chooses Leave organization to remove her account from the organization.
- After Jane chooses Leave organization, she is redirected to the Organizations console, and a notification confirms that the
Jane Doeaccount has been removed from the organization.
- As the administrator in the master account of the organization, I can verify the successful removal by checking that the
Jane Doeaccount no longer shows up in the list of accounts. Alternatively, if CloudWatch Events has been set up for Organizations, notifications can be provided through additional channels. For information about how to set up CloudWatch Events for Organizations, see Tutorial: Monitor Important Changes to Your Organization with CloudWatch Events.
Today, AWS Organizations made it easier for you to remove AWS accounts from your organization so that they can operate independently of your organization. To remove an AWS account from your organization, sign in to the Organizations console.
If you have comments about this post, submit them in the “Comments” section below. If you have questions about or issues implementing this solution, start a new thread on the Organizations forum.