avatarTeri Radichel

Summary

The article explains how to close an AWS account associated with AWS Control Tower, including the steps to unmanage an account in AWS Control Tower and terminate it in AWS Service Catalog.

Abstract

The article is part of a series on automating cybersecurity metrics and provides instructions on how to close an AWS account associated with AWS Control Tower. The author notes that closing an account in AWS Control Tower is different from closing an account in AWS Organizations, and that the account will remain in suspended state for 90 days after being closed. The article also explains how to unmanage an account in AWS Control Tower, which involves navigating to AWS Service Catalog and terminating the account from there. The author warns that any security controls provided by AWS Control Tower will no longer apply once the account is unmanaged.

Opinions

  • The author suggests that closing an account in AWS Control Tower is not a simple process and requires additional steps beyond those required for closing an account in AWS Organizations.
  • The author emphasizes the importance of following the instructions carefully to avoid errors and ensure that the account is properly closed and unmanaged.
  • The author notes that unmanaging an account in AWS Control Tower involves navigating to AWS Service Catalog, which may be confusing for some users.
  • The author warns that any security controls provided by AWS Control Tower will no longer apply once the account is unmanaged, and advises users to ensure that the account is in an OU with appropriate controls if they do not plan to delete it right away.

Closing An AWS Account Associated With AWS Control Tower

ACM.185 Removing AWS Control Tower management of an AWS Account

Part of my series on Automating Cybersecurity Metrics. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In my last post in this series I pondered simplifying security in AWS. That’s really what I want to do in this whole blog series, but as you can see it is not simple. Hopefully by the end I will have some code available to help with that.

In some past posts I’ve written about account deletion in an account where AWS Control Tower does not exist. When you have AWS Control Tower set up, things are a bit different. Let’s look at how that works.

First, the instructions say that you can close your account without having to log into the account you are closing.

You can close your AWS Control Tower member accounts from your organization’s management account without a requirement to sign in to each member account individually with root credentials, by means of AWS Organizations

But there is a catch. Your account will remain in suspended state for 90 days.

When you call the AWS Organizations CloseAccount API, or close an account in the AWS Organizations console, the member account is isolated for 90 days, as any AWS account would be. The account shows a Suspended status in AWS Control Tower and AWS Organizations. If you attempt to work with the account during that 90 days, AWS Control Tower gives an error message.

So if you wanted to delete and recreate the account using the same email, you’ll want to change the email address as I explained previously, if you want to reuse it. Additionally, if you had plans to delete your entire organization, you won’t be able to do that until all the accounts get deleted, as explained before. If you need to immediately delete the account completely then you need to take some additional steps I explained in the link at the bottom of this post.

There’s another caveat also, if you are using Control Tower. You should unmanage the account first because if you try to restore the account, you’ll get an error in Control Tower.

If you close a member account without first unmanaging it, AWS Control Tower shows the account’s status as Suspended, but also as Enrolled. As a result, if you attempt to Re-register the account’s OU during that 90-day time, AWS Control Tower produces an error message.

This leads me to another issue I should mention. If you set things up with Control Tower and try to make any changes in AWS Organizations, you will end up with a mess. Just remember that if you are using Control Tower then only use Control Tower and not AWS Organizations after that point to make changes. Don’t move accounts into different OUs from AWS Organizations if they are managed by Control Tower, for example.

Unmanage a Control Tower Account

OK so how do you unmanage an account in AWS Control Tower? That page doesn’t say. You can find those instruction over here.

This is where things get confusing to me. You would think that you could unmanage an account somewhere in Control Tower. But the instructions tell you to go over to Service Catalog.

What is Service Catalog? It is a service that lets you create reusable components that people can deploy that are pre-configured according to your particular requirements.

AWS Control Tower uses the Service Catalog service to create accounts that conform to whatever rules you have configured in AWS Control Tower. Then AWS Control Tower ensures that the accounts continue to meet whatever rules you have configured in Control Tower by checking your accounts with the AWS Config service.

You can follow the instructions above to close the account.

Of course, once you unmanage the account, any security controls provided by AWS Control Tower will no longer apply. You’ll want to make sure the account is in an OU with appropriate controls if you do not plan to delete it right away.

Following the instructions above, navigate to AWS Service Catalog.

Make sure you are in the AWS management account for your organization.

Make sure you have selected the correct region.

Click on Provisioned Products on the left.

When you reach this screen you do not see a list of accounts initially.

Click on the Account Filter.

Now you’ll see a list of accounts.

Click on the account you want to unmanage and choose Terminate from the actions menu.

In this case, I’m terminating an account I used for a cloud security class that I don’t need anymore.

When I take a look at AWS Organizations the account I removed from Control Tower Management is now at the root of my organization. I have a Suspended OU in this organization and I applied a DenyAll SCP manually to this OU so I’m going to move the account there until I’m ready to delete it.

Once you have unmanaged the account, you can return the AWS Organizations dashboard, navigate to the account, click on it, and then click the button to close the account.

The only issue is that if you want the account to be immediately terminated it will not be. It will remain in a suspended account for 90 days. If you want to immediately terminate the account you will need to follow the steps in this post. Remember to change the email first if you want to reuse it — which you can do with the AWS Accounts API.

Well, that helps me terminate one account but I actually want to close all the accounts in this organizational structure because I’m recreating everything in a new account structure. First, I need to migrate some resources to the new account structure and set up some additional security controls.

This scenario is similar to a business that sold all their assets to another company and needs to quickly migrate them into a new accounts structure. As always, businesses may have competing priorities — set up everything perfectly or move things quickly. I’ll be considering that in the next few posts.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
AWS
Control Tower
Unmanage
Organizations
Close Account
Recommended from ReadMedium
avatarMunidimple Muchalli
AWS GuardDuty

AWS Guard Duty

4 min read
avatarChristopher Adamson
Best Practices for AWS Tagging Strategies

In the world of cloud computing, effective resource management is crucial for maintaining organization and control. Amazon Web Services…

4 min read
avatarShubham Mishra
Reducing Costs in AWS — VII

In my earlier blogs I was more focussed on IaaS and PaaS services and have to be honest was kind of blindsided by my own bias towards…

7 min read
avatarDhruvin Soni
AWS cost optimization tips

AWS cost optimization tips

3 min read
avatarMohasina Clt
SwitchRoleMastery: Your Step-by-Step Guide to AWS Cross-Account Access

Table of Contents:

8 min read
avatarMatan Amiel
What is an AWS Backup? And how to automate it

Backups are not always a straightforward task, in this article, you will learn what is AWS Backup and how to automate it by using Terraform

5 min read