Remove AWS Control Tower
ACM.219 Steps to Decommission AWS Control Tower
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: AWS Security | Cloud Governance | Cybersecurity
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I took a look at the Pros and Cons of AWS StackSets.
In this post I’m going to remove AWS Control Tower from my account because it is preventing me from doing things I need to do. AWS ControlTower uses AWS StackSets and I considered using them in my own code but decided against it for the reasons explained in that post. For now, I just want to remove AWS Control Tower so I can continue migrating the remaining resources into my new account.
Decommissioning AWS Control Tower is a step that cannot be undone. If you don’t follow the proper steps you cannot redeploy AWS Control Tower later.
Prior to decommissioning AWS Control Tower
Here are some of the steps I took first. I moved some important resources since some protections will be removed once I decommission AWS Control Tower. I also added a few Service Control Policies to disallow actions in accounts I plan to close and put protections on important resources.
In a prior post I explained how to move the contents of one S3 bucket to another.
I’ve also already explained how to move domain names from one account to another. In this post, I explain why you might want all your domain names in one place.
I also explained how to migrate AMIs here.
Moving entire AWS Accounts
You may have other things to migrate as well. Sometimes the migrations are very complex and it’s easier to just move the whole account instead of migrating individual resources. I’m going to do completely migrate a few accounts for that reason.
But first, I need to decommission AWS Control Tower. Remember AWS Control Tower creates some restrictions via Service Control Policies (which are good if you are not intending to migrate accounts!)
However, they prevented me from taking certain actions while trying to run some tests. I took a look at the Service Control Policies thinking I might modify them and gave up. That’s when I started this whole do-over with a new AWS account and organizational structure. You can read about that here if you are interested in some of the issues.
Caveats for decommissioning AWS Control Tower
There are a lot of caveats if you plan to continue using your account, so read them. That is a complicated starting point for what should be a simple process. However, you might want to understand exactly what is going to happen when you take this step, so here you go.
Note this warning:
In my case, I’m closing the account and not too concerned about the remaining resources.
Decommissioning steps
Here are the actual decommissioning steps.
Log into your AWS Management Account and navigate to the region where AWS Control Tower is located.
Navigate to AWS Control Tower
When I login I see this. Interesting. I started trying to remove the accounts from my organization but hit road blocks due to AWS Control Tower. I ended up just moving the accounts to a Suspended SCP with no privileges and now I see this. Hmm. Ok.
I removed the DenyAll SCP I created, since I’m going to delete these accounts anyway in case that affects Control Tower. My understanding is that AWS Control Tower uses a Service Linked role which is not affected by SCPs but perhaps I missed something so I’ll remove that just to be safe.
Click Landing zone settings on the left.
Click Decommission.
Check the three boxes, type DECOMMISSION, and click Decommission Landing Zone.
Next you’ll see this message:
Now I don’t know what’s happening exactly. I waited a bit and then I checked CloudTrail. Looks like some things are happening:
We’ll just let that run for a while and I’ll come back after a while and check it.
It didn’t actually take that long for the process to complete. I’m not sure how long exactly but I refreshing the page a bit later I got this.
I no longer see the SCPs Control Tower created or the AWS Config rules, so I should be able to proceed with moving my accounts.
The first thing I did was to close the accounts I don’t need. One of the accounts created by AWS Control Tower is a Backup Account. I already moved what I needed so I clicked on that account in the organizations list.
NOTE: You can only “Remove” the account from the AWS Organizations list, not CLOSE the account. You have to click on the account to close it. Then you can click the close button. It will ask you if you are sure. Follow the steps.
And…it worked.
That was a lot easier than the last time I tried to close and account. The above action will leave your account in a suspended state for 90 days. You won’t be able to remove the organization and close the management account until that time has elapsed. If you want to immediately shut it down for some reason you may need to follow some additional steps.
If you try to remove too many accounts too fast you will get this message:
On to moving closing and removing the remaining accounts.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab