AWS Cloud Operations Blog

AWS Organizations, moving an organization member account to another organization: Part 2

In part one, we identified different features of Organizations requiring guidance and consideration when you move an account from one organization in Organizations to another. We focused on Organizations Polices, AWS Resource Access Manager (AWS RAM) shares, and AWS global condition context keys.

In this post, part two of a three-part series, we identify behaviors and provide actions for when you want to move an account registered as an Organizations delegated administrator for one or more compatible AWS services in your organization. We have included information and guidance to help you understand what happens and plan for when you deregister a delegated administrator for an AWS service. We also provide any guidance for when you move an account into an organization that has an existing delegated administrator for an AWS service. As with part one, we continue to build on the information provided in the Organizations User Guide for removing a member account from your organization and inviting an AWS account to join your organization. Moving an account between organizations requires you to remove the account from an organization, making the account standalone, and then accepting an invite to join another organization. Before you remove an account from your organization, we recommend that you determine if you have one or more delegated administrators registered in the organization.

This post uses AWS Command Line Interface (AWS CLI) examples. To utilize these, you must first install and configure the AWS CLI. For more information, see Installing the AWS CLI.

AWS Organizations delegated administrator

When you designate a member account to be a delegated administrator for the organization, configured users and roles from that account can perform administrative actions for the compatible AWS service. This helps you separate management of the organization from management of the AWS service. When you must move a member account from an organization which is registered as a delegated administrator for one or more AWS services, you must deregister the account as a delegated administrator before removing from the organization. Before you deregister an account and remove from the organization, you’ll want to understand what happens to the account and any actions to consider.

We have included a list of AWS services that currently support an organization’s delegated administrator. You can find an AWS service listed by either AWS service name or service principal name. The service principal name can be found when you use the AWS CLI list-delegated-services-for-account command to discover one or more registered delegated administrators for an account. For some AWS services, you can also find if a delegated administrator account is configured in the AWS service console.

The following AWS CLI example retrieves the AWS services for which the specified account is a delegated administrator. Replace <account-id> with the AWS account ID that you want to check if configured as a delegated administrator for one or more AWS services.

PROMPT> aws organizations list-delegated-services-for-account --account-id < account-id >

To determine if there are AWS accounts in the organization that are delegated administrators for one or more AWS services, you can use the AWS CLI list-delegated-administrators command to the list the accounts. The following example uses AWS CLI commands to determine any assigned delegated administrator for a given AWS service and where to find the service principal for the AWS service listed.

  1. The following AWS CLI example retrieves a list of any AWS accounts that are designated as delegated administrators in the organization.
    PROMPT> aws organizations list-delegated-administrators
  2. The following AWS CLI example retrieves the AWS services for which the specified account is a delegated administrator. Replace <account-id> with each “Id” value found in the previous step, repeating the command to iterate through the list of “DelegatedAdministrators“ found.
    PROMPT> aws organizations list-delegated-services-for-account --account-id < account-id >

To determine if a specified AWS service has a delegated administrator, you can use the AWS CLI list-delegated-administrators command. The following AWS CLI example retrieves any AWS accounts that are designated as delegated administrators in the organization for the AWS service defined by the specified service principal. Replace <service-principal> with the AWS service principal that you want to check.

PROMPT> aws organizations list-delegated-administrators --service-principal < service-principal >

You can deregister an account as the delegated administrator for the compatible AWS services using organization management account credentials and the AWS CLI deregister-delegated-administrator command. Some AWS services, such as AWS Audit Manager, Amazon Detective, AWS Firewall Manager, Amazon GuardDuty, Amazon Macie, AWS Security Hub, and Amazon VPC IP Address Manager (IPAM) have their own specific commands or console options for registering and deregistering an account. We’ve detailed any command variations under the listed AWS services that are currently supporting a delegated administrator.

The following AWS CLI example removes the specified organization member account as a delegated administrator for the specified AWS service. Replace <account-id> with the AWS account ID number of the member account in the organization that you want to deregister as a delegated administrator. Replace <service-principal> with the service principal name of an AWS service for which the account is a delegated administrator.

PROMPT> aws organizations deregister-delegated-administrator --account-id < account-id > --service-principal < service-principal >

In some cases, you can have more than one delegated administrator account in an organization for specific AWS services, including AWS Service Catalog, AWS CloudFormation StackSets, AWS Network Manager, Amazon S3 Storage Lens, AWS Trusted Advisor, and AWS Config. Later in this post, we’ll detail the quota for each. If you haven’t registered all delegated administrator capacity for an AWS service that supports more than one delegated administrator, then you can register another account before you deregister an account. You can use this as an option when you plan to retain the organization and are looking to move the current delegated administrator to another organization. Consider configuring another delegated administrator in the organization to support operations during the migration of numerous accounts or if the organization remains. Choose an account that remains in the organization, or an existing account that you’ll migrate last or close (delete), you can assign all of the delegated administrators to this account during a migration.

When an account that was previously a delegated administrator in an organization is moved to another organization, it joins the organization as a member account. The account isn’t registered as a delegated administrator for any compatible AWS services.

When moving your account into another organization, you should check if you must configure your account to work with an existing delegated administrator for one or more AWS services. For most cases you don’t need to configure the account. However, you may need to configure the delegated administrator account, and we have included any guidance within the list of AWS services that currently support an organization’s delegated administrator. To check if there are any AWS accounts in the target organization that are delegated administrators for one or more AWS services, you can use the AWS CLI list-delegated-administrators command. If you discover one or more delegated administrators in the organization, then you can discover which AWS services, using the AWS CLI list-delegated-services-for-account command. Using this information, you can plan any actions required when you add more accounts into an organization.

AWS services that currently support AWS Organizations Delegated Administrator

The following list of AWS services work with Organizations and currently support a delegated administrator. This section includes guidance and behavior for you to consider before you deregister an account as a delegated administrator for the AWS service. You’ll also find any configuration for your account when you move into an organization with an existing delegated administrator.

AWS Account Management: account.amazonaws.com

When you deregister a delegated administrator account for AWS Account Management, configured users and roles from that account can no longer perform administrative actions for AWS Account Management. The account can no longer call the AWS Account Management API operations for other member accounts in the organization.

AWS Audit Manager: auditmanager.amazonaws.com

When you deregister a delegated administrator account for AWS Audit Manager, configured users and roles from that account can no longer perform administrative actions for AWS Audit Manager. You continue to have access to the evidence previously collected with the account. However, Audit Manager stops collecting and attaching evidence to the account moving forward. To remove a delegated administrator, you can use the management account Audit Manager console or the AWS CLI deregister-organization-admin-account command.

AWS CloudFormation StackSets: member.org.stacksets.cloudformation.amazonaws.com

When you deregister a delegated administrator account for AWS CloudFormation StackSets, configured users and roles from that account can no longer perform administrative actions for AWS CloudFormation StackSets. The account will no longer have permissions to create or manage service-managed stack sets for the organization. Stack sets created with service-managed permissions are retained in the organization management account. You can register up to five member accounts in an organization as a delegated administrator for AWS CloudFormation StackSets.

Before moving your account into another organization, check any configured StackSets deployment targets in the target organization. You’ll want to determine if the StackSet will be applied to the account that you’re moving and make sure that the account is included or excluded as required. If you have setup StackSets using self-managed permissions, then moving a target account or the administrator account isn’t effected by an organization change. Check the AWS Identity and Access Management (IAM) role policies for the AWSCloudFormationStackSetAdministrationRole in the administrator account and the AWSCloudFormationStackSetExecutionRole in the target accounts for Organizations related condition keys mentioned in part one of this post series.

AWS Compute Optimizer: compute-optimizer.amazonaws.com

When you deregister a delegated administrator account for AWS Compute Optimizer, configured users and roles from that account can no longer perform administrative actions for AWS Compute Optimizer. The account can no longer access and manage Compute Optimizer recommendations for member accounts in the organization, or set Compute Optimizer recommendation preferences for an organization.

AWS Config: config-multiaccountsetup.amazonaws.com

When you deregister a delegated administrator account for AWS Config, config rules and conformance packs, configured users, and roles from that account can no longer perform administrative actions for AWS Config. The account can no longer deploy and manage config rules and conformance packs across the organization. Conformance packs and config rules deployed by the delegated administrator account will automatically be removed from the account and all organization member accounts. You can register up to three member accounts in an organization as a delegated administrator for AWS Config config rules and conformance packs.

When you move an account into another organization, you must make sure that the AWS Config configuration recorder is enabled for the account to work with either the management account or existing delegated administrator for AWS Config rules and conformance packs. The deployment of existing organizational rules and conformance packs will only be retried for seven hours after an account is added to an organization if a recorder isn’t available.

AWS Config: config.amazonaws.com

When you deregister a delegated administrator account for AWS Config data aggregation, configured users and roles from that account can no longer perform administrative actions for AWS Config. The account can no longer aggregate AWS Config data across the organization and any configured aggregators no longer receive data. You can register up to three member accounts in an organization as a delegated administrator for AWS Config data aggregation. If you register the same account in the same organization as the delegated administrator, then any configured data aggregators continue to collect data. When you move an account into another organization, you must enable AWS Config for the account to work with an existing delegated administrator with AWS Config data aggregation setup for the organization.

Amazon Detective: detective.amazonaws.com

When you deregister a delegated administrator account for Amazon Detective configured users and roles from that account can no longer perform administrative actions for Amazon Detective. Amazon Detective is disabled in the delegated administrator account and all organization behavior graphs are deleted.

To deregister a delegated administrator for Amazon Detective, you must use the management account Detective console or the AWS CLI disable-organization-admin-account command. If you use the Detective console, then the Detective administrator will be removed in the current region, and you must remove the administrator for each Region. If you use the AWS CLI disable-organization-admin-account command, then you must use organization management account credentials and remove the Detective administrator for each region. Using either console or command method, you must remove the organization designated delegated administrator using the AWS CLI deregister-delegated-administrator command.

When moving an account into another organization, check the configuration of Amazon Detective for managing organization accounts as member accounts. Amazon Detective can be configured to enable new organization accounts as Amazon Detective member accounts automatically, or enable organization accounts manually.

Amazon DevOps Guru: devops-guru.amazonaws.com

When you deregister a delegated administrator account for Amazon DevOps Guru, configured users and roles from that account can no longer perform administrative actions for Amazon DevOps Guru. The account will no longer have access to a consolidated view of all DevOps Guru insights and metrics across the organization. The organization management account continues to have access to all insights across all accounts in the organization.

AWS Firewall Manager: fms.amazonaws.com

When you deregister a delegated administrator account for AWS Firewall Manager, configured users and roles from that account can no longer perform administrative actions for AWS Firewall Manager. All Firewall Manager policies created by the Firewall Manager administrator account are deleted, including associated AWS Config managed rules. When a Firewall Manager policy is deleted, the policy scope configuration for policy types Network Firewall, Security group (common) and WAF determines if Firewall Manager retains or removes protections and delete Firewall Manager-managed resources. Consider when a DNS Firewall policy is deleted, managed associations between Amazon Route 53 Resolver DNS Firewall rule groups and any Amazon Virtual Private Cloud VPCs will be removed.

Before you remove the delegated administrator, you must capture the configuration of the Firewall Manager including any security polices, applications, and protocol lists. With this information you can align another delegated administrator account to this configuration. You can list the Firewall Manager security policies, application, and protocols using organization management account credentials and the AWS CLI list-policies, list-apps-lists, and list-protocols-lists commands respectively.

To remove a delegated administrator, you can use the delegated administrator account Firewall Manager Console or the AWS CLI disassociate-admin-account command using delegated administrator account credentials and the AWS Region US East N. Virginia (us-east-1). If you discover that the account is still registered as a delegated administrator when removing the account from the organization, then you can use the AWS CLI deregister-delegated-administrator command. When you move an account into another organization, for any existing AWS Firewall Manager policies, check that the scope policy includes or excludes (as required) the account you are moving into the organization.

Amazon GuardDuty: guardduty.amazonaws.com

When you deregister a delegated administrator account for Amazon GuardDuty, configured users and roles from that account can no longer perform administrative actions for Amazon GuardDuty. Deregistering the delegated administrator account doesn’t disable GuardDuty in the account or in any organization member accounts. Accounts within the organization are disassociated and converted to GuardDuty standalone accounts, retaining any settings.

To deregister a delegated administrator for Amazon GuardDuty, you must use the management account GuardDuty console or the AWS CLI disable-organization-admin-account command. If you use the Amazon GuardDuty console, then the GuardDuty administrator will be removed in all of the regions and the GuardDuty organization designated delegated administrator is removed. If you use the AWS CLI disable-organization-admin-account command, then you must remove the GuardDuty administrator for each region and then remove the organization designated delegated administrator using the AWS CLI deregister-delegated-administrator command.

When moving an account into another organization, for each region you have enabled Amazon GuardDuty for the organization, the account will automatically be associated as a GuardDuty member account. If an account isn’t associated, then you can manually add as a member account using the delegated administrator account GuardDuty console.

IAM Access Analyzer: access-analyzer.amazonaws.com

When you deregister a delegated administrator account for IAM Access Analyzer, configured users and roles from that account can no longer perform administrative actions for IAM Access Analyzer. The account loses permission to all analyzers with organization as the zone of trust that were created using that account. Any configured analyzers move to a disabled state and no longer generate new or update existing findings. The existing findings for these analyzers are also no longer accessible. However, you can access them again in the future by registering the same account as the delegated administrator in the same organization. If you know that you won’t use the same account as a delegated administrator, then consider deleting the analyzers before changing the delegated administrator, as this will delete all generated findings. If you register another account as a delegated administrator and create new analyzers, then new instances of the same findings are generated in this account. When you move an account into another organization, if there are already analyzers created with the organization as the zone of trust, then the account will be included in the set of resources that are analyzed.

AWS IAM Identity Center (successor to AWS Single Sign-On): sso.amazonaws.com

When you deregister a delegated administrator account for AWS IAM Identity Center, configured users and roles from that account can no longer perform administrative actions for AWS IAM Identity Center. Permissions or assignments configured in AWS IAM Identity Center aren’t affected and end users continue to have access to their apps and AWS accounts from within the AWS access portal.

Amazon Inspector: inspector2.amazonaws.com

When you deregister a delegated administrator account for Amazon Inspector, configured users and roles from that account can no longer perform administrative actions for Amazon Inspector. The account loses access to monitor Inspector for the organization, and it can no longer access the metadata of associated organization member accounts, including Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Elastic Container Registry (Amazon ECR) configuration data and security finding results. Deregistering the delegated administrator doesn’t disable Inspector in the account or in any organization member accounts. Accounts within the organization are disassociated and converted to Inspector standalone accounts, retaining any scan settings.

When removing the delegated administrator, using the organization management account Amazon Inspector console, you have the option to remove the delegated administrator from all Regions. When using the AWS CLI deregister-delegated-administrator command, this automatically removes the delegated administrator from all Regions. If you configure another delegated administrator for Inspector in the same organization, then you must manually associate organization members to the delegated administrator account.

When moving an account into another organization, for each region you have configured Amazon Inspector for Auto-enable scanning for new member accounts, an account will automatically be associated with an Inspector delegated administrator. If an account isn’t associated, then you can manually add as a member account using the delegated administrator account Inspector console.

AWS License Manager: license-manager.amazonaws.com: license-manager.member-account.amazonaws.com

When you deregister a delegated administrator account for AWS License Manager, configured users and roles from that account can no longer perform administrative actions for AWS License Manager. You should check if you’re using AWS RAM to share AWS License Manager license configurations with one or more AWS accounts either directly or through Organizations. In part one of this post series, we cover AWS RAM resource shares and considerations when moving between organizations for both owner and consumer accounts.

Amazon Macie: macie.amazonaws.com

When you deregister a delegated administrator account for Amazon Macie, configured users and roles from that account can no longer perform administrative actions for Amazon Macie. The account loses access to all Macie settings, data, and resources for all Macie associated member accounts across all AWS Regions. Deregistering the delegated administrator account doesn’t disable Macie in the account or in any organization member accounts. Accounts within the organization are disassociated and converted to Macie standalone accounts, retaining any settings.

To deregister a delegated administrator for Amazon Macie you need to use organization management account credentials with the AWS CLI disable-organization-admin-account command. You will need to remove the Macie administrator for each region configured, and then remove the organization designated delegated administrator using the AWS CLI deregister-delegated-administrator command.

When moving an account into another organization, for each region you have turned on the Auto-enable setting, an account will automatically be associated with a Macie delegated administrator. If an account isn’t associated, then you can manually add as a member account using the delegated administrator account Macie console.

AWS Network Manager: networkmanager.amazonaws.com

When you deregister a delegated administrator account for AWS Network Manager, configured users and roles from that account can no longer perform administrative actions for Network Manager. Any registered transit gateways from other member accounts are deregistered from any global networks created in the account. The network topology is updated to no longer show resources from other member accounts. You can register up to ten member accounts in an organization as a delegated administrator for Network Manager.

AWS Security Hub: securityhub.amazonaws.com

When you deregister a delegated administrator account for AWS Security Hub, configured users and roles from that account can no longer perform administrative actions for Security Hub. Deregistering the delegated administrator doesn’t disable Security Hub in the account or in any organization member accounts. Accounts within the organization are disassociated and converted to Security Hub standalone accounts, retaining any settings.

To deregister a delegated administrator for AWS Security Hub, you must use the management account Security Hub console or the AWS CLI disable-organization-admin-account command. If you use the Security Hub console, then the Security Hub administrator will be removed in all regions and the Security Hub organization designated delegated administrator is removed. If you use the AWS CLI disable-organization-admin-account command, then you must use organization management account credentials and remove the Security Hub administrator for each region. Once complete, remove the organization designated delegated administrator using the AWS CLI deregister-delegated-administrator command.

When moving an account into another organization, for each region you have turned on the Auto-enable setting, an account will automatically be associated with an Security Hub delegated administrator. If an account isn’t associated, then you can manually add as a member account using the delegated administrator account Security Hub console.

Amazon S3 Storage Lens: storage-lens.s3.amazonaws.com

When you deregister a delegated administrator account for Amazon Simple Storage Service (Amazon S3) Storage Lens, configured users and roles from that account can no longer perform administrative actions for Amazon S3 Storage Lens and create organization-level dashboards. Amazon S3 Storage Lens Organization-level dashboards created by the delegated administrator are automatically disabled. The deregistered account can continue to view the historic data for these disabled dashboards according to the respective period that data is available for queries. You can register up to five member accounts in an organization as a delegated administrator for Amazon S3 Storage Lens.

AWS Service Catalog: servicecatalog.amazonaws.com

When you deregister a delegated administrator account for AWS Service Catalog, configured users and roles from that account can no longer perform administrative actions for AWS Service Catalog. Furthermore, they are no longer authorized to create, delete, and share portfolios. AWS Service Catalog portfolio shares that were created from the account are removed.

If there are one or more accounts remaining in the organization that have provisioned products from a portfolio shared by the delegated administrator account, then you can setup another delegated administrator in the same organization and migrate any shared products. You can also register up to fifty member accounts in an organization as a delegated administrator for AWS Service Catalog. If you have a shared portfolio in the organization management account, then we highly recommend migrating the portfolio to a delegated administrator account.

To migrate shared products to an AWS Service Catalog delegated administrator in the same organization:

  1. Check if the AWS Service Catalog shared portfolio in the source delegated administrator account contains any provisioned products. If you find a product, then you can migrate the product to a portfolio in another account, registered as delegated administrator. Note any account IDs with which the portfolio is shared.
  2. Register another delegated administrator account for AWS Service Catalog, as this will be used to manage the portfolio for any provisioned products.
  3. Create a new portfolio in the target delegated administrator account using the same template as the original product to avoid termination and recreation of the resources of the provisioned product.
  4. Share and import the portfolio that you created in Step 3, with accounts that you identified in Step 1. These are the accounts that have provisioned products from the portfolio.
  5. In each account you have the shared the portfolio with, select the provisioned product and use update to change the product, as well as select the product you shared from the target delegated administrator account. You will observe the message ‘Changing the product will update this provisioned product to a different product template. This may terminate resources and create new resources.’ You can ignore this message if you have created the portfolio using the same template as the original product.
  6. Once you’ve migrated all of the portfolios and associated products from the source delegated administrator account, you can remove the original share from the portfolio in the source delegated administrator account. You can deregister the source delegated administrator account.
  7. [Optional] If the portfolio and shares created by a delegated administrator aren’t removed after the delegated administrator account is deregistered, then register and deregister the delegated administrator again. This second action removes the portfolio and shares created for the account.

If you’re moving an account with a provisioned product from an AWS Service Catalog shared portfolio to another organization, then you can associate the product with a portfolio in the target organization. In the target organization, you can recreate the portfolio and product in a registered delegated administrator account for AWS Service Catalog and share with the organization. When an account joins the target organization, you can update the provisioned product to the product shared in the organization. You can use this approach if you’re removing an organization and want to retain shared portfolios by moving to the target organization.

To migrate shared products to the delegated administrator in another organization:

  1. Check if the AWS Service Catalog shared portfolio in the source delegated administrator account contains any provisioned products. If you find a product, then note any AWS account IDs with which the portfolio is shared.
  2. Update the portfolio share to use either ‘ORGANIZATION_MEMBER_ACCOUNT’ or ‘ACCOUNT’ and specify the AWS account ID for the account moving to the target organization with provisioned products. This will allow the product to remain in the account when you remove the account from the Organization.
  3. In the consumer account, import the shared portfolio if not shown, and then update the permissions for the product for the required principles of the account.
  4. Register an account as a Service Catalog delegated administrator in the target organization, as this will be used to manage the portfolio for any provisioned products.
  5. Create a new portfolio in the target delegated administrator account using the same template as the original product to avoid termination and recreation of the resources of the provisioned product. Share the portfolio with the Organization or target Organization for the accounts that you’re moving that have provisioned products from the source shared portfolio.
  6. When you remove your portfolio consumer account from the source organization, you’ll notice the shared portfolio, products are viewable, and your provisioned products remain without change.
  7. When you add the consumer account to the target organization, in your account, import the shared portfolio if not shown, and update the permissions for the product for the required principles of the account.
  8. In each account that you have the shared the portfolio with, select the provisioned product and use update to change the product, as well as select the product that you shared from the new delegated administrator account. You will change the provisioned product from the original product shared by the source organization to the same product that you created in the target organization. You’ll observe the message ‘Changing the product will update this provisioned product to a different product template. This may terminate resources and create new resources.’ You can ignore this message if you have created the portfolio using the same template as the original product.
  9. In the source organization delegated administrator account, remove the account share that you created earlier. This will remove the portfolio and product from the consumer account, leaving only the newly shared portfolio and products which are now the new owner for the provisioned product.
  10. [Optional] If the delegated administrator account in the source organization is moving to the target organization, then once you’ve migrated all of the portfolios and associated products from the source delegated administrator account, you can de-register this account as delegated administrator.
  11. [Optional] If the portfolio and shares created by a delegated administrator don’t get removed after the delegated administrator is de-registered, then register and de-register the delegated administrator again. This action removes the portfolio and shares created by that account.

AWS Systems Manager: ssm.amazonaws.com

When you deregister a delegated administrator account for AWS Systems Manager, this effects both Systems Manager Explorer and Change Manager. Configured users and roles from the account no longer perform administrative actions for Systems Manager Explorer or Change Manager. The account no longer has access to the Organizations resource data sync API operations. Systems Manager Explorer deletes all delegated administrator organization resource data syncs and contained data. This action is permanent and can’t be undone. The account can no longer manage Change Manager activities across the organization, including managing change templates, change requests, change runbooks, and approval workflows. Any Change Manager requests created in the delegated administrator account that apply change to multiple Organizational Units (OUs) remain. However, these will fail to run successfully, and this includes scheduled requests and requests awaiting approval.

AWS Trusted Advisor: reporting.trustedadvisor.amazonaws.com

When you deregister a delegated administrator account for AWS Trusted Advisor, configured users and roles from the account no longer perform administrative actions for AWS Trusted Advisor. The account can no longer review, accept, resolve, reject, and reopen recommendations in Trusted Advisor Priority. Moreover, you won’t receive email notifications from Trusted Advisor Priority. You can register up to five member accounts in an organization as a delegated administrator for AWS Trusted Advisor.

Amazon VPC IP Address Manager (IPAM): ipam.amazonaws.com

When you deregister a delegated administrator account for Amazon VPC IP Address Manager (IPAM), configured users and roles from the account no longer perform administrative actions for IPAM. The account can no longer manage and monitor IP allocations in the organization, and it can no longer share an IPAM pool across organization member accounts. To remove a delegated administrator, you can use the organization management account IPAM console or the AWS CLI disable-ipam-organization-admin-account command.

When you deregister the account, if you’re sharing an IPAM pool using AWS RAM across the organization, then the resource share is retained. However, member accounts can no longer access the shared IPAM. If you try to use the shared IPAM pool, then you receive an exception “The operation AllocateIpamPoolCidr is not supported. Account <account-id> is not monitored by IPAM ipam-<ipam-id>.” When an account leaves the organization, any organization principle in the IPAM pool resource share is automatically disassociated from the share.

If you’re moving an account registered as a delegated administrator for IPAM that has shared IPAM pools across the organization, and you’re retaining the organization, then you can setup the same IPAM pool configuration in another account. Once you’ve deregistered the current delegated administrator, register the account for which you setup the alternative IPAM as the delegated administrator and share with the organization. An AWS account that remains in the organization, that has resources or an Amazon VPC with an allocated CIDR block from a previously shared IPAM pool, will be tracked in the newly established IPAM pool.

If you’re moving an account registered as a delegated administrator for IPAM, then you can use a retained IPAM in the account in the target organization after moving the account. If you plan to retain and use the IPAM, then you should consider releasing an allocation of a CIDR block for resources of one or more accounts that will remain in the source organization. Otherwise, the CIDR block will continue to be marked as allocated. CIDR blocks marked as allocated for the resources of AWS accounts which don’t move into the target organization will no longer be reflected as managed by the target organization delegated administrator. To use the IPAM in the target organization, you must register the account as the delegated administrator for IPAM. In the account, you must modify the AWS RAM resource share to associate principals for the target organization. An account that you move into the same organization that has an Amazon VPC with an allocated CIDR block from the IPAM will be tracked. If you already have a delegated administrator for IPAM in the target organization, then you can configure a new or existing IPAM with CIDR blocks for allocation to resources in one or more of the accounts that move into the organization.

Conclusion

In this post, we’ve helped you determine any organization’s delegated administrators, and identify behavior and actions when you want to move an account registered as a delegated administrator for one or more compatible AWS services. You’ve learned that you must deregister an account as an organization’s delegated administrator before you can remove an organization. You’ve also learned how to determine if an account is a delegated administrator for one of more AWS services, as well as the behaviors to expect and actions to take when deregistering an account.

This post series steps you through the different features of Organizations, providing guidance and consideration for when you’re using Organizations and moving an AWS account from one organization to another.

In part one of the series, we walked you through the different features of Organizations, providing guidance and consideration for when you’re using Organizations to move an AWS account from one organization to another. In part three, we’ll help you determine AWS services with trusted access in the organization, and identify actions and behaviors before you move an AWS account.

About the authors:

Karl Schween

Karl Schween is a Principal Solutions Architect at Amazon Web Services. He helps customers craft highly-scalable, flexible, and resilient cloud architectures that address their business problems.

Deepa Pahuja

Deepa Pahuja is a Senior Solutions Architect at Amazon Web Services. Deepa enjoys working with customers to create architectures that use cloud-native services to solve business problems. Outside of work, Deepa enjoys exploring new places, hiking, and dancing.