AWS, Cloud Computing

6 Mins Read

Mastering Compliance and Governance: A Step-by-Step Guide to Removing a Member Account from AWS Organization

Overview

This blog provides a step-by-step procedure for removing a member account from AWS Organizations using the AWS console. It also emphasizes that removing a member account from AWS Organizations should be done cautiously, and established procedures for removing accounts from the Organization should be followed.

Introduction to AWS Organizations

AWS Organizations is a powerful tool for managing multiple AWS accounts, providing enhanced security and governance features, and simplifying billing and access control across your Organization. To maintain compliance and governance throughout your Organization, you can use AWS Organizations to build groups of AWS accounts known as “Organizational Units” (OUs) and apply policies to those OUs.

AWS Organizations makes it easy to consolidate billing and control access to AWS services across all of your accounts. You can use AWS Organizations to create a hierarchical structure of OUs, which allows you to manage and apply policies to groups of accounts easily. For example, you might create an OU for production accounts and apply strict security policies while creating a separate OU for development accounts with more relaxed policies.

Let’s start our discussion and review the steps for removing a member account from AWS OU

Customized Cloud Solutions to Drive your Business Success

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Why should we remove a member account?

There are several reasons to remove a member account from AWS. Some of the most typical situations are listed below:

  • The account is no longer needed: Over time, your Organization’s needs may change, and some member accounts may become obsolete. Removing these accounts can help simplify your Organization’s structure and reduce unnecessary costs.
  • The account is not compliant: If a member account is not following your Organization’s policies or is not compliant with industry regulations, you may need to remove it from the Organization to avoid any potential risks.
  • The account is causing issues: In some cases, a member account may be causing issues for other accounts in the Organization, such as by exceeding resource limits or creating security vulnerabilities. Removing the account can help mitigate these issues.
  • The account owner requests removal: If the owner of a member account requests to be removed from the Organization, you may need to honor that request and remove the account.
  • The Organization is being restructured: If your Organization is undergoing a major restructuring or reorganization, you may need to remove some member accounts to realign them with new teams or business units.
  • Moving to AWS Control Tower: As the company is scaling, they are trying to move the accounts to AWS Control Tower for better business agility and governance.

It is important to note that removing a member account from AWS Organizations should be done cautiously, as it can have implications for the account owner and their resources. Before removing an account, it is a good idea to communicate with the account owner and ensure they know the potential impacts. Additionally, you should follow established procedures or policies for removing accounts from your Organization.

Precautionary Steps for account removal:

To remove an account from an AWS organization, it must have all the necessary information to operate as a standalone account, including a support plan, verified contact information, and a current payment method. This information is not automatically collected when the account is created in the Organization, so it must be provided separately. AWS will charge the payment method for any billable activity that occurs while the account is not attached to the Organization.

Once an account is removed from an AWS organization, the account owner is responsible for any new AWS costs incurred and the account’s payment method will be used. The costs of the account are no longer under the control of the Organization’s management account.

Verify that the account is not the delegated administrator account for any AWS service that has been enabled for your Organization before removing it from an AWS Organization. If so, switch the account designated as the delegated administrator to one that will stay within the Organization.

After removing accounts created using the AWS Organizations console or CreateAccount API from an organization, the creating management account remains responsible for the actions taken by those accounts and is liable for any associated costs. Agreements with AWS cannot be transferred or assigned without prior consent.

When a member account is removed from an AWS organization, it loses access to cost and usage data from when it was part of the Organization. The data is still accessible to the Organization’s administration account. The account can access the data once more if it re-joins the Organization.

All tags associated with a member account are removed when the member account leaves the Organization.

Step-by-step procedure for removing a member account from AWS Organizations

  1. There are three options for logging in to the AWS Organizations console: as an IAM user, assuming an IAM role, or as the root user (although this is not advised) under the Organization’s management account.
  2. To remove member accounts from the Organization on the AWS accounts page, select the checkbox beside each account you wish to remove. To display a list of accounts without the OU structure, activate “View AWS accounts only” and traverse the OU hierarchy. To find all the accounts you want to delete, you might need to choose “Load more accounts in ‘ou-name'” at the bottom of the list if you have a lot of accounts. Locate and select the member account name you wish to remove from your Organization on the AWS accounts page.
  3. Select “Actions” and then, under “AWS account,” choose “Remove from organization.”
    aws organization
  4. In the dialog box that says, “Remove account ‘account-name’ (#account-id-num) from Organization?” select “Remove account.”
    aws organization
    aws organization
  5. Suppose AWS Organizations is unable to remove one or more accounts. In that case, it may be because you haven’t provided all the necessary information for the account to function as a standalone account. To resolve this issue, follow these steps:
    1. To address the issue, log in to the accounts that failed to be removed. We suggest using an incognito window by selecting “Copy link” and pasting it into the address bar of a new incognito browser window. If you do not use an incognito window, you will be signed out of the management account and unable to navigate back to the dialog box.
    2. Upon accessing the account, the browser will direct you to the sign-up process to address any missing steps for that account. Follow and complete all the presented steps, which may include the following:
      • Provide your contact information.
      • Provide your credit/debit card details.
        aws organization
      • Verify your contact number.
        aws organization
      • Select a support plan based on your business need.
        aws organization
      • Once you finish the final sign-up step, AWS will automatically redirect your browser to the AWS Organizations console for the member account. Select “Leave organization” and confirm your decision in the confirmation dialog box. The “Getting Started” page of the AWS Organizations console will then be displayed, where you may see any pending invitations for your account to join other organizations.
        aws organization
        aws organization
        aws organization

Now the account has all the privileges and will be a standalone account.

Conclusion

In this blog, we successfully demonstrated the importance and step-by-step process of removing a member account from AWS Organizations.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, Microsoft Gold Partner, and Google Cloud Partner helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding AWS Organizationd, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.

FAQs

1. What minimum waiting period is required to remove a newly created account using AWS Organizations?

ANS: – To remove a newly created account within the Organization, you must wait for at least seven days after the account was created. However, invited accounts are not subject to this waiting period.

2. After getting removed from AWS Organizations, what time range does a standalone account have access to billing information?

ANS: – A member account that separates from the Organization and becomes a standalone account loses access to the cost and usage information from the period when the account was a member. Only data generated as a solo account will be accessible to the account.

3. What are the required permissions to leave the Organization?

ANS: – organizations:DescribeOrganization, organizations:LeaveOrganization, aws-portal:ModifyBilling and aws-portal:ModifyPaymentMethods and the member account must enable IAM user access to billing.

WRITTEN BY Arvind Kishore

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!