Safely Decommissioning AWS Landing Zone Accounts: A Comprehensive Guide

Introduction to AWS Landing Zone Account Closure Process

AWS Landing Zone offers a standardized approach to managing multi-account environments, with key features designed to enhance security, compliance, and scalability across your AWS infrastructure. However, the need to close certain AWS accounts may arise as organizations evolve. To streamline resources or manage costs, closing an AWS Landing Zone account requires a precise, managed approach to avoid potential issues. This guide will walk you through the essential steps to close AWS Landing Zone accounts appropriately, ensuring a smooth and compliant account termination process.

Why Unmanaged Before Closing an AWS Account

In AWS Landing Zone, account management involves configurations, policies, and organizational ties. Before closing an AWS account, it’s crucial to “unmanaged” it—detaching it from Landing Zone’s centralized control to ensure policies and configurations do not interfere with the closure process. Failing to unmanage an account can lead to unintended consequences, such as failed API calls, retained residual resources, and orphaned roles or permissions. First, by unmanaging the account, you ensure a clean slate, allowing for safe and complete closure.

Understanding Unexpected Behavior Post-Closure

While AWS takes significant steps to secure and streamline account closures, unexpected issues can arise if accounts are correctly managed first. Typical problems may include lingering CloudFormation stacks, orphaned roles, or unexpected billing. Understanding that unmanaging and closing an AWS account involves specific AWS policies and service dependencies can help identify potential areas of residual configurations or resources, thus avoiding common pitfalls post-closure.

Preparing for Account Closure: Root User Credentials

The root user credentials play a critical role in the closure process, as some actions require root-level access. Ensure you have the correct root credentials before initiating the closure steps. Additionally, verify that MFA (multi-factor authentication) is enabled on the root account for extra security during the process. They are maintaining the root user credentials until closure confirmation provides an additional layer of control and reduces the risk of unauthorized access during the transition.

Steps to Unmanage an AWS Account in Landing Zone

1. Log in to AWS Control Tower and access the AWS Landing Zone environment.
2. Identify the account you wish to unmanage and navigate to its details.
3. Disassociate the account from Landing Zone services. This step may include removing it from organizational units (OUs) or adjusting permissions.
4. Remove account-level policies applied by Landing Zone, ensuring that these policies no longer impact the account’s resources or billing.

Terminating a Provisioned Product for Account Unmanagement

After disassociating the account, terminate any remaining provisioned products, such as AWS Service Catalog or CloudFormation stacks created under Landing Zone. Navigate to the AWS Service Catalog, locate the provisioned product associated with the account, and follow the termination process to ensure that no dependent resources remain. Once terminated, verify that all configurations, permissions, and other dependencies are entirely removed.

Waiting for Account Status Change: Not Enrolled or Disappearance

Following the unmanagement steps, monitor the account’s status. AWS Control Tower should indicate a “Not Enrolled” status or show the account’s disappearance from the enrolled list in the AWS Landing Zone. This status change confirms that the account has been fully detached from Landing Zone’s managed infrastructure and is ready for closure without potential configuration conflicts.

Initiating Account Closure: A Detailed Walkthrough

1. Access the AWS Billing Console and select the account you intend to close.
2. Navigate to Account Settings and review the closure details, ensuring any required compliance data or resources are archived.
3. Select “Close Account” and follow the on-screen instructions. You may be prompted to enter root user credentials and complete additional verification.
4. Confirm Closure: AWS will send a confirmation email to the root email address, confirming the account closure process has been successfully initiated.

Final Checks and Confirmation for Account Closure

Once the account is closed, perform a final review:

• Check for residual billing charges; some services may be billed on a delayed cycle.
• Review linked services to ensure no resources are inadvertently retained.
• Confirm the closure notification email has been received and verify with AWS Support if there are any lingering concerns or dependencies.

Account Restoration and Re-enrollment Options Post-Closure

If the need arises to reinstate a closed AWS account, AWS provides a restoration period (typically 90 days) during which an account can be reactivated. This process requires reaching out to AWS Support for assistance. After reactivation, you may re-enroll the account in the AWS Landing Zone to reapply policies, organizational unit membership, and other managed configurations.

Conclusion

Closing an AWS Landing Zone account is a multi-step process that requires careful preparation, unmanagement, and verification. Following these steps ensures that your account closure is seamless, compliant, and devoid of lingering dependencies. Always remember to retain root credentials until closure confirmation, and reach out to AWS Support if needed during any process step.

References

Walkthrough: Decommission an AWS Control Tower Landing Zone

How to decommission a landing zone