2. ANDREW ALANIZ
Thoughts and opinions are my own
Head of Architecture, and Cloud risk
Previously Head of Security Architecture, Cloud Governance, Cloud Security
Operations and a few other things
LinkedIn: https://www.linkedin.com/in/andrewdalaniz
Twitter: @andrewdalaniz
Website: www.alaniz.io
Andrew Alaniz
@andrewdalaniz
alaniz.io
3. AGENDA
Situation
Conflicting Information
Gotchas
Make good decisions
How to do it right
Andrew Alaniz
@andrewdalaniz
alaniz.io
4. SITUATION
• You have an established AWS organization
• You have a handful of accounts (100s?, 1000s?)
• You have a reason to delete some accounts
• You have a well architected environment
• HINT: This includes checking out root credentials
• There are no APIs for deleting accounts
Andrew Alaniz
@andrewdalaniz
alaniz.io
5. CONFLICTING INFO
• Even as of this presentation, there are at least three AWS sources for how to close an account
(and they have conflicting recommendations)
• https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/
• “Terminate all your resources before closing your account”
• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html
• “Before closing your account, back up any applications and data that you want to retain and delete all
remaining AWS resources. All resources and data that were stored in the account are lost and cannot be
recovered.”
• https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html
• “After the post-closure period, any remaining content in your AWS account is deleted, and services that
are still in use are terminated.”
Andrew Alaniz
@andrewdalaniz
alaniz.io
6. GOTCHAS
• Step 1: Scratch head after reading three how-tos for deleting the
accounts
• Step 2: Don’t guess at which directions to follow!
Andrew Alaniz
@andrewdalaniz
alaniz.io
7. GOTCHAS
• ASSUMPTION: You are using AWS Organizations
• DO NOT remove an account from the organization as part of the deletion process.
• This is in one of the AWS ‘how to’s’:
“Closing a member account
When you close an account that was created with AWS Organizations, that account isn't removed from the
organization until after the post-closure period. During the post-closure period, a closed member account still counts
toward your quota of accounts in the organization.
To avoid having the account count against the limit, remove member accounts from the organization before closing
it. “
Closing an account - AWS Billing and Cost Management (amazon.com)
• AWS at least mentions this in one of the docs: If you use aws:PrincipalOrgID in any policies, once the
account is removed, you may lose access to those resources.
Andrew Alaniz
@andrewdalaniz
alaniz.io
8. GOTCHAS
So what happens if we remove it?
1. You lose EDP/Savings Plans/other discounts
2. You lose Enterprise Support
3. I repeat, you lose Enterprise Support
4. You must enter a credit card to incur all charges
5. If your org had Shield Advanced, well now your stand alone account does too, and see #4
1. Re-joining the organization does not resolve this issue
2. And remember #2? It makes fixing this a little complicated
6. You lose org security services
1. You lose SCPs
7. Also, probably a good time to loop your legal team in
Andrew Alaniz
@andrewdalaniz
alaniz.io
9. GOTCHAS
• Control Tower
• If you are doing this after utilizing Control Tower, you get the benefit of some added ‘features’
• I found this how-to from AWS: https://youtu.be/n3eALEKZaHc
• “All services deployed to this account such as guard rails…have been unenrolled. However, users
still have access to this account and its resources”
• So essentially, if you use Control Tower, you have to add risk and add steps in order to close an
account
Andrew Alaniz
@andrewdalaniz
alaniz.io
10. GOTCHAS
• Don’t delete everything before deleting the account
• Keep the account in the org
• If you delete everything you lose key services
• Security Services
• Roles
• CSPM
Andrew Alaniz
@andrewdalaniz
alaniz.io
11. MAKE GOOD DECISIONS
• Do it right
• Most of the actions we’ve discussed (leaving an organization, leaving control tower, removing
services, etc.) should be considered security incidents. This is also a good time to check your
cloud watch event/SIEM/SOC integrations to ensure they are working.
• Consider data retention policies
• Consider data destruction policies (maybe talk about this one before putting the data in the
cloud)
• Over communicate
• Track changes and dates (for the suspended period)
• Real World Scenarios
• M&A
• ‘Legacy’ architecture migration
• Shutting down a business Andrew Alaniz
@andrewdalaniz
alaniz.io
12. HOW TO DO IT RIGHT
ASSUMPTION: Everything in the account is ready to be deleted
1. Login as root
2. Go to billing, check four boxes, and click close account
3. Wait 90 days for the account to be closed
Easy enough, right? Just make sure you do it right the first time.
• Closing an AWS account - AWS Organizations (amazon.com)
Andrew Alaniz
@andrewdalaniz
alaniz.io