Close an AWS Account in an Organization

ACM.168 Challenges and risks related to removing AWS accounts, OUs, and organizations

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | DevOps | AWS Organizations

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post we took a look at our architecture for integrating AWS with Okta as an Identity Provider using SAML.

Now what I want to do is delete the AWS Organization infrastructure I created via the command line and deploy it with CloudFormation.

Note: There has been a great deal of interest in this post for whatever reason.

Make sure that you have locked down the ability for the root user of a child account to remove accounts from an AWS Organization by implementing SCPs as I described here:
https://medium.com/cloud-security/root-ou-service-control-policies-d2c18fd0b21e

I mention the challenges with those SCPs in a follow on post and will be publishing updates to those SCPs in later posts. Follow for updates.

In this post, I’ll show you some of the challenges when it comes to closing AWS accounts and deleting organizational resources. It’s important to understand these caveats in case you need to delete something in the future. You can end up with resources hanging around you don’t care to see that will take 30 days to drop off. At this time, there’s now way to filter those out of the lists you may be reviewing.

TL;DR Skip to the bottom if you already know all these potential problems you may face when closing an account for the simplified list of steps to take to permanently and immediately remove an account from your AWS Organization.

Delete the existing organizations resources

I’m want to delete the existing AWS Organizations resources I created in this post. Refer to this post to get the information we’ll need to execute the commands below.

Because I haven’t used this account for anything else I won’t affect anything by deleting the resources.

I can delete the account with this command:

Then I can delete the Organizational Unit (OU):

And finally the organization:

Simple, right? Well, let’s run the commands and you’ll see that it’s not.

Delete an AWS account with the close-account API

There are a lot of caveats when you try to remove an account from your organization or close it. Here are a few:

To get the account number I can first list the accounts:

aws organizations list-accounts

To get the specific account I should be able to query it with the AWS CLI but I am just going to use this because I know how to do it quickly and I always forget how to use the AWS query and filter options. I actually show you how to write the command with the AWS query and filter options in a later post but for now:

acct=$(aws organizations list-accounts \
  --query 'Accounts[*].{Id:Id,Name:Name}' \
  --output text | grep Governance | cut -f1)

• query returns all the account but only the ID and Name
• grep will only return the rows that contain “Governance” (the name of the account we want to delete).
• An output value of ‘text’ removes quotes from the output.
• Cut -f1 will give me the first value (field) in a delimited list with a space as the delimiter.

Then I can run this command once I’ve stored the account number in my $acct variable.

aws organizations close-account --account-id $acct

It appears to have worked. Wait 60 seconds and check your organization to see if the account has been closed.

Here’s where it gets more challenging. I wanted to close this account and recreate it another way. It still exists but it is “suspended.” What happens when I try to create a new account with this email address? Well, you can’t. I always forget this when testing AWS Organizations so this post servers as a reminder for me and awareness for everyone else. You have to take the appropriate steps depending on what you are trying to do.

Here’s the next problem. We can’t delete the OU because an account exists in it.

And we can’t delete the Organization because resources exist in it.

What if we remove the account from the organization?

Here’s where we run into the next problem. You have to login to the account with the root user and enter a credit card.

If we login and add the credit card and remove the account from the organization, is the account actually terminated? To make sure we’ll want to close the account once we get in there.

Let’s see if we can login. No. Joy.

So click the link above to learn more about re-opening a closed account. You have to contact AWS support to open the account again.

How long will my account remain in that suspended state in my AWS Organizations console?

30 days. That’s how long the suspended account sit there in your AWS Organization list, even if you really don’t want it. There’s no way to filter out those accounts either. You can move them to an OU named “Suspended” that has a Service Control Policy that denies all actions in those accounts.

Can you create a new AWS account with the same email as a suspended or closed account?

No:

AWS really should have a big warning sign about this when you run the command to close an account or do this from the console. You should have to acknowledge that you won’t be able to use the email again. Had I know that (well, I did but I forgot) I could have logged into the account, changed the email, added a credit card, and terminated the account from there. But it’s annoying to have to take all those steps to terminate an account that is part of the organization.

The last time I contacted AWS about an issue like this — they wanted me to send an email from the email used by the account. Since it is an alias, I would have to create and pay for a mailbox for that alias for one month just so I could email them to solve the problem.

Typo in domain name of email used to create an account

In the past, I had a typo in the domain portion of the email address when I created an account. I couldn’t reset the password on the account to login as root because I didn’t have access to the email. If I could register the domain it would be so dumb to pay to register the domain and then pay for a mailbox for one month just to close the account.

I contacted support and went around in circles and finally gave up. I just left that account sit their idle in my organization and hoped no one would somehow get access to it. It wasn’t costing me anything but it was I was concerned someone might get into it. It’s a security flaw to leave reasource hanging around that someone might be able to register a domain or subdomain for to get into them.

Finally! Years later I just logged in to the related management account after mentioning this a few times (so have others) and it appears that you can now close an from the AWS Organizations dashboard without logging in to add a credit card to that account. I logged in, clicked on the account and there’s a “close account” button in there. I’m not sure when it was added, but I just clicked it and now the account says it is suspended. Hallelujah! We’ll see if it drops off in 30 days.

Contact support to reactivate the account

I’m going to see if I can simply reopen the governance account I created and then I’ll close it properly. I clicked the link above to contact support. I asked them to please reopen the account. I chose the web option as I don’t like running chat programs in my browser.

Now we wait…

Next steps

Now hopefully when this process completes and the account is re-opened, I can do the following:

• Login as the root user.
• Change the email address, because I wanted to reuse that email address.
• Enter a credit card.
• Log into my organizational AWS account.
• Remove the account from the organization.
• Log back into the other account and click on the account number at the top right.
• Use the option to close the account in the account settings.

Once I do that, I should be able to run the command to delete the OU above, and the organization.

But wait. There’s more.

Messaging related to reopening an account is not accurate

I’m back. Nothing is every simple. When I wanted to reactivate my account I did so using the link that showed up when I logged into the account to contact AWS support. I asked to reopen the account. This is what I got back when I checked in about 3–4 hours later.

Well, if I need to make this request from the AWS organizations management account, then that is where the link should go when I login and it should tell me that in the messaging that I receive when I try to log into the suspended account.

Additionally, the documentation above clearly says to login as the root user of the account, not the AWS management account.

So now I have to start over and submit this request from the management account. It seems odd that I would have to so so using the root user of the AWS management account but I will do that just to be sure I am [hopefully] following the directions.

And…we wait.

Support team possibly cannot tell it’s an organizations account?

One more note. Today my account is restored (so I can delete it properly…) but the support person told me to login to the account to make sure my billing details are accurate. Seems like there may be a disconnect in support as to when accounts are in an organization versus stand-alone. The problem was not with my billing details. My account was not closed for non-payment. The organizational bills have not problems. Hmm.

But anyway, yay. Now I can follow the steps above to change the email and properly delete the account. Then I can reuse the same email to create the account in the future.

But wait — there’s still more!

Pin Verification issue

Next I get this lovely message.

What is that? I have no idea. Let’s see if the login link takes me to the right place.

Well, that link sends me to a login for an IAM user. I haven’t created any IAM users in that account. So I log in as the root user. It doesn’t send me anywhere relevant. So I navigate to the Organizations dashboard within the account I’m trying to close in search of this “pin verification” option. Aha. I can choose to leave the organization here:

Then I get this error so I click the link to complete the process and follow the steps.

I have to add a phone number, Amazon calls me, and I enter a pin.

That’s the pin verification process which I don’t recall but probably forgot about because I haven’t closed an account in a while.

And…I have successfully removed this account from the organization according to the message.

Let’s double check that. Log into the AWS management account. Success.

Do you have any concerns at this point? Maybe you should. Who has access to login with the root credentials to any account in your organization? Can they remove accounts from your organization by clicking the button to remove your accounts from your organization? I’ll show you how to add a policy to the root user of any new account in a future post to prevent such unwanted actions.

Close the account — finally — in a way that removes it from the organization completely

OK now that the account is removed from the organization, we can log back into it and close it.

Click on your user name on the top right of the AWS console.

Click account.

Scroll to the bottom. Click all the boxes to close the account.

This closes the account in such a way that it no longer appears in your organization.

Note that if you haven’t done so already you would have to enter a credit card first.

TL;DR

Short versions of the steps to remove an account from an AWS Organization and close it (if you are sure you don’t need to reopen it again!)

• Login to the existing account that you want to close with the root user account.
• Change the email for the account if you want to use that email again (or attempt to do it using the account functions in AWS Organizations — there seem to be some new features or UI changes for this).
• Add a credit card. (You may be able to do this from the Organization. I have some later posts on SCPs to limit removing an account which cover this published March 26th and beyond.)
• Navigate to AWS Organizations in the account you are trying to close.
• Click the button to leave the organization. (If you are trying to do this from within the AWS Organization you would chose the “Remove from Organization” option. See later posts for more information.)
• Follow the steps.
• After getting a message about successful removal, close the account.
• Once you have removed all the accounts in an OU or moved them, you can delete the OU.
• Once you have closed or removed all the accounts in your organization, you can delete the organization.

Now that we’ve cleaned that up we can create an organization from scratch using CloudFormation, except for the organization itself. You will have to use the command line option in this post to create the Organization if you want a script to automate that which you store in source control.

If you are concerned about who can remove an account from your organization, you can create a Service Control Policy to prevent that as explained here, but I am going to further revise these root SCPs in a follow-on post to facilitate removing accounts with two-party approval.

After writing this post, I was reminded that you can use the AWS account API to change the email on an account. However, can you do that on a suspended account if you inadvertently suspended it and want to reuse the same email? What about creating an account with the same name? I presume this requires a cross-account role now disabled in the suspended account? That’s something to test.

Now I’m working through re-creating the organization.

Here’s another related post on how to work around constraints when closing an account.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab