SlideShare a Scribd company logo

Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec

Download as PPTX, PDF
Andrew Alaniz
Andrew Alaniz

In this presentation, I cover a few gotchas related to deleting AWS Accounts for you to consider.

Technology
1 of 12
CHALLENGES WITH DELETING AWS ACCOUNTS AT SCALE ANDREW ALANIZ
ANDREW ALANIZ  Thoughts and opinions are my own  Head of Architecture, and Cloud risk  Previously Head of Security Architecture, Cloud Governance, Cloud Security Operations and a few other things  LinkedIn: https://www.linkedin.com/in/andrewdalaniz  Twitter: @andrewdalaniz  Website: www.alaniz.io Andrew Alaniz @andrewdalaniz alaniz.io
AGENDA  Situation  Conflicting Information  Gotchas  Make good decisions  How to do it right Andrew Alaniz @andrewdalaniz alaniz.io
SITUATION • You have an established AWS organization • You have a handful of accounts (100s?, 1000s?) • You have a reason to delete some accounts • You have a well architected environment • HINT: This includes checking out root credentials • There are no APIs for deleting accounts Andrew Alaniz @andrewdalaniz alaniz.io
CONFLICTING INFO • Even as of this presentation, there are at least three AWS sources for how to close an account (and they have conflicting recommendations) • https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/ • “Terminate all your resources before closing your account” • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html • “Before closing your account, back up any applications and data that you want to retain and delete all remaining AWS resources. All resources and data that were stored in the account are lost and cannot be recovered.” • https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html • “After the post-closure period, any remaining content in your AWS account is deleted, and services that are still in use are terminated.” Andrew Alaniz @andrewdalaniz alaniz.io
GOTCHAS • Step 1: Scratch head after reading three how-tos for deleting the accounts • Step 2: Don’t guess at which directions to follow! Andrew Alaniz @andrewdalaniz alaniz.io
GOTCHAS • ASSUMPTION: You are using AWS Organizations • DO NOT remove an account from the organization as part of the deletion process. • This is in one of the AWS ‘how to’s’: “Closing a member account When you close an account that was created with AWS Organizations, that account isn't removed from the organization until after the post-closure period. During the post-closure period, a closed member account still counts toward your quota of accounts in the organization. To avoid having the account count against the limit, remove member accounts from the organization before closing it. “ Closing an account - AWS Billing and Cost Management (amazon.com) • AWS at least mentions this in one of the docs: If you use aws:PrincipalOrgID in any policies, once the account is removed, you may lose access to those resources. Andrew Alaniz @andrewdalaniz alaniz.io
GOTCHAS So what happens if we remove it? 1. You lose EDP/Savings Plans/other discounts 2. You lose Enterprise Support 3. I repeat, you lose Enterprise Support 4. You must enter a credit card to incur all charges 5. If your org had Shield Advanced, well now your stand alone account does too, and see #4 1. Re-joining the organization does not resolve this issue 2. And remember #2? It makes fixing this a little complicated 6. You lose org security services 1. You lose SCPs 7. Also, probably a good time to loop your legal team in Andrew Alaniz @andrewdalaniz alaniz.io
GOTCHAS • Control Tower • If you are doing this after utilizing Control Tower, you get the benefit of some added ‘features’ • I found this how-to from AWS: https://youtu.be/n3eALEKZaHc • “All services deployed to this account such as guard rails…have been unenrolled. However, users still have access to this account and its resources” • So essentially, if you use Control Tower, you have to add risk and add steps in order to close an account Andrew Alaniz @andrewdalaniz alaniz.io
GOTCHAS • Don’t delete everything before deleting the account • Keep the account in the org • If you delete everything you lose key services • Security Services • Roles • CSPM Andrew Alaniz @andrewdalaniz alaniz.io
MAKE GOOD DECISIONS • Do it right • Most of the actions we’ve discussed (leaving an organization, leaving control tower, removing services, etc.) should be considered security incidents. This is also a good time to check your cloud watch event/SIEM/SOC integrations to ensure they are working. • Consider data retention policies • Consider data destruction policies (maybe talk about this one before putting the data in the cloud) • Over communicate • Track changes and dates (for the suspended period) • Real World Scenarios • M&A • ‘Legacy’ architecture migration • Shutting down a business Andrew Alaniz @andrewdalaniz alaniz.io
HOW TO DO IT RIGHT ASSUMPTION: Everything in the account is ready to be deleted 1. Login as root 2. Go to billing, check four boxes, and click close account 3. Wait 90 days for the account to be closed Easy enough, right? Just make sure you do it right the first time. • Closing an AWS account - AWS Organizations (amazon.com) Andrew Alaniz @andrewdalaniz alaniz.io

Recommended

WKS402 Well-Architected Workshop
WKS402 Well-Architected WorkshopWKS402 Well-Architected Workshop
WKS402 Well-Architected WorkshopAmazon Web Services
 
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...Amazon Web Services
 
Awsgsg computebasics
Awsgsg computebasicsAwsgsg computebasics
Awsgsg computebasicsjames0417
 
Streamline Your Desktop Operations and Improve Security with Amazon WorkSpace...
Streamline Your Desktop Operations and Improve Security with Amazon WorkSpace...Streamline Your Desktop Operations and Improve Security with Amazon WorkSpace...
Streamline Your Desktop Operations and Improve Security with Amazon WorkSpace...Amazon Web Services
 
AWS Webcast - AWS Compliance Forum Introduction Oct 2013
AWS Webcast - AWS Compliance Forum Introduction Oct 2013AWS Webcast - AWS Compliance Forum Introduction Oct 2013
AWS Webcast - AWS Compliance Forum Introduction Oct 2013Amazon Web Services
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPAAmazon Web Services
 
AWS User Group September
AWS User Group September AWS User Group September
AWS User Group September PolarSeven Pty Ltd
 
Managing users and aws accounts
Managing users and aws accountsManaging users and aws accounts
Managing users and aws accountsAleksandr Maklakov
 

Recommended

WKS402 Well-Architected Workshop
WKS402 Well-Architected WorkshopWKS402 Well-Architected Workshop
WKS402 Well-Architected WorkshopAmazon Web Services
 
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...
Applying AWS Organizations to Complex Account Structures - April 2017 AWS Onl...Amazon Web Services
 
Awsgsg computebasics
Awsgsg computebasicsAwsgsg computebasics
Awsgsg computebasicsjames0417
 
Streamline Your Desktop Operations and Improve Security with Amazon WorkSpace...
Streamline Your Desktop Operations and Improve Security with Amazon WorkSpace...Streamline Your Desktop Operations and Improve Security with Amazon WorkSpace...
Streamline Your Desktop Operations and Improve Security with Amazon WorkSpace...Amazon Web Services
 
AWS Webcast - AWS Compliance Forum Introduction Oct 2013
AWS Webcast - AWS Compliance Forum Introduction Oct 2013AWS Webcast - AWS Compliance Forum Introduction Oct 2013
AWS Webcast - AWS Compliance Forum Introduction Oct 2013Amazon Web Services
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPAAmazon Web Services
 
AWS User Group September
AWS User Group September AWS User Group September
AWS User Group September PolarSeven Pty Ltd
 
Managing users and aws accounts
Managing users and aws accountsManaging users and aws accounts
Managing users and aws accountsAleksandr Maklakov
 
1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_AccessCrishantha Nanayakkara
 
Scale Mission Critical Atlassian Applications on AWS
Scale Mission Critical Atlassian Applications on AWSScale Mission Critical Atlassian Applications on AWS
Scale Mission Critical Atlassian Applications on AWSiTMethods
 
2016 AWS Healthcare Days | Nashville, TN – May 3,2016
2016 AWS Healthcare Days | Nashville, TN – May 3,20162016 AWS Healthcare Days | Nashville, TN – May 3,2016
2016 AWS Healthcare Days | Nashville, TN – May 3,2016Amazon Web Services
 
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Successful Cloud Adoption for the Enterprise. Not If. When.
Successful Cloud Adoption for the Enterprise. Not If. When.Successful Cloud Adoption for the Enterprise. Not If. When.
Successful Cloud Adoption for the Enterprise. Not If. When.Amazon Web Services
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyBhuvaneswari Subramani
 
Windsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS OrganizationsWindsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS OrganizationsGoran Karmisevic
 
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...Amazon Web Services
 
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...Amazon Web Services
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudAmazon Web Services
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentationTATA LILIAN SHULIKA
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesAmazon Web Services
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAdam Book
 
Governance at Scale
Governance at Scale Governance at Scale
Governance at Scale Amazon Web Services
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?Ken Johnson
 
Mastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeMastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeYan Cui
 
Managing your AWS Organization using org-formation
Managing your AWS Organization using org-formationManaging your AWS Organization using org-formation
Managing your AWS Organization using org-formationOlaf Conijn
 

More Related Content

What's hot

1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_AccessCrishantha Nanayakkara
 
Scale Mission Critical Atlassian Applications on AWS
Scale Mission Critical Atlassian Applications on AWSScale Mission Critical Atlassian Applications on AWS
Scale Mission Critical Atlassian Applications on AWSiTMethods
 
2016 AWS Healthcare Days | Nashville, TN – May 3,2016
2016 AWS Healthcare Days | Nashville, TN – May 3,20162016 AWS Healthcare Days | Nashville, TN – May 3,2016
2016 AWS Healthcare Days | Nashville, TN – May 3,2016Amazon Web Services
 
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Successful Cloud Adoption for the Enterprise. Not If. When.
Successful Cloud Adoption for the Enterprise. Not If. When.Successful Cloud Adoption for the Enterprise. Not If. When.
Successful Cloud Adoption for the Enterprise. Not If. When.Amazon Web Services
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyBhuvaneswari Subramani
 

What's hot (7)

1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access1BT_Tech_Talk_AWS_Cross_Account_Access
1BT_Tech_Talk_AWS_Cross_Account_Access
 
Scale Mission Critical Atlassian Applications on AWS
Scale Mission Critical Atlassian Applications on AWSScale Mission Critical Atlassian Applications on AWS
Scale Mission Critical Atlassian Applications on AWS
 
2016 AWS Healthcare Days | Nashville, TN – May 3,2016
2016 AWS Healthcare Days | Nashville, TN – May 3,20162016 AWS Healthcare Days | Nashville, TN – May 3,2016
2016 AWS Healthcare Days | Nashville, TN – May 3,2016
 
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
Embrace DevOps and Learn How to Automate Operations - DEV306 - re:Invent 2017
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Successful Cloud Adoption for the Enterprise. Not If. When.
Successful Cloud Adoption for the Enterprise. Not If. When.Successful Cloud Adoption for the Enterprise. Not If. When.
Successful Cloud Adoption for the Enterprise. Not If. When.
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control Policy
 

Similar to Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec

Windsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS OrganizationsWindsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS OrganizationsGoran Karmisevic
 
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...Amazon Web Services
 
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...Amazon Web Services
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudAmazon Web Services
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentationTATA LILIAN SHULIKA
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesAmazon Web Services
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAdam Book
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?Ken Johnson
 
Mastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeMastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeYan Cui
 
Managing your AWS Organization using org-formation
Managing your AWS Organization using org-formationManaging your AWS Organization using org-formation
Managing your AWS Organization using org-formationOlaf Conijn
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxAmazon Web Services
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...Amazon Web Services
 

Similar to Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec (20)

Windsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS OrganizationsWindsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS Organizations
 
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
 
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your Cloud
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentation
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New Launches
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
 
Governance at Scale
Governance at Scale Governance at Scale
Governance at Scale
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?
 
Mastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeMastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as code
 
Managing your AWS Organization using org-formation
Managing your AWS Organization using org-formationManaging your AWS Organization using org-formation
Managing your AWS Organization using org-formation
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
 
Security and compliance
Security and complianceSecurity and compliance
Security and compliance
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Deleting Amazon Accounts - Andrew Alaniz - fwd:cloudsec

  • 1. CHALLENGES WITH DELETING AWS ACCOUNTS AT SCALE ANDREW ALANIZ
  • 2. ANDREW ALANIZ  Thoughts and opinions are my own  Head of Architecture, and Cloud risk  Previously Head of Security Architecture, Cloud Governance, Cloud Security Operations and a few other things  LinkedIn: https://www.linkedin.com/in/andrewdalaniz  Twitter: @andrewdalaniz  Website: www.alaniz.io Andrew Alaniz @andrewdalaniz alaniz.io
  • 3. AGENDA  Situation  Conflicting Information  Gotchas  Make good decisions  How to do it right Andrew Alaniz @andrewdalaniz alaniz.io
  • 4. SITUATION • You have an established AWS organization • You have a handful of accounts (100s?, 1000s?) • You have a reason to delete some accounts • You have a well architected environment • HINT: This includes checking out root credentials • There are no APIs for deleting accounts Andrew Alaniz @andrewdalaniz alaniz.io
  • 5. CONFLICTING INFO • Even as of this presentation, there are at least three AWS sources for how to close an account (and they have conflicting recommendations) • https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/ • “Terminate all your resources before closing your account” • https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html • “Before closing your account, back up any applications and data that you want to retain and delete all remaining AWS resources. All resources and data that were stored in the account are lost and cannot be recovered.” • https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html • “After the post-closure period, any remaining content in your AWS account is deleted, and services that are still in use are terminated.” Andrew Alaniz @andrewdalaniz alaniz.io
  • 6. GOTCHAS • Step 1: Scratch head after reading three how-tos for deleting the accounts • Step 2: Don’t guess at which directions to follow! Andrew Alaniz @andrewdalaniz alaniz.io
  • 7. GOTCHAS • ASSUMPTION: You are using AWS Organizations • DO NOT remove an account from the organization as part of the deletion process. • This is in one of the AWS ‘how to’s’: “Closing a member account When you close an account that was created with AWS Organizations, that account isn't removed from the organization until after the post-closure period. During the post-closure period, a closed member account still counts toward your quota of accounts in the organization. To avoid having the account count against the limit, remove member accounts from the organization before closing it. “ Closing an account - AWS Billing and Cost Management (amazon.com) • AWS at least mentions this in one of the docs: If you use aws:PrincipalOrgID in any policies, once the account is removed, you may lose access to those resources. Andrew Alaniz @andrewdalaniz alaniz.io
  • 8. GOTCHAS So what happens if we remove it? 1. You lose EDP/Savings Plans/other discounts 2. You lose Enterprise Support 3. I repeat, you lose Enterprise Support 4. You must enter a credit card to incur all charges 5. If your org had Shield Advanced, well now your stand alone account does too, and see #4 1. Re-joining the organization does not resolve this issue 2. And remember #2? It makes fixing this a little complicated 6. You lose org security services 1. You lose SCPs 7. Also, probably a good time to loop your legal team in Andrew Alaniz @andrewdalaniz alaniz.io
  • 9. GOTCHAS • Control Tower • If you are doing this after utilizing Control Tower, you get the benefit of some added ‘features’ • I found this how-to from AWS: https://youtu.be/n3eALEKZaHc • “All services deployed to this account such as guard rails…have been unenrolled. However, users still have access to this account and its resources” • So essentially, if you use Control Tower, you have to add risk and add steps in order to close an account Andrew Alaniz @andrewdalaniz alaniz.io
  • 10. GOTCHAS • Don’t delete everything before deleting the account • Keep the account in the org • If you delete everything you lose key services • Security Services • Roles • CSPM Andrew Alaniz @andrewdalaniz alaniz.io
  • 11. MAKE GOOD DECISIONS • Do it right • Most of the actions we’ve discussed (leaving an organization, leaving control tower, removing services, etc.) should be considered security incidents. This is also a good time to check your cloud watch event/SIEM/SOC integrations to ensure they are working. • Consider data retention policies • Consider data destruction policies (maybe talk about this one before putting the data in the cloud) • Over communicate • Track changes and dates (for the suspended period) • Real World Scenarios • M&A • ‘Legacy’ architecture migration • Shutting down a business Andrew Alaniz @andrewdalaniz alaniz.io
  • 12. HOW TO DO IT RIGHT ASSUMPTION: Everything in the account is ready to be deleted 1. Login as root 2. Go to billing, check four boxes, and click close account 3. Wait 90 days for the account to be closed Easy enough, right? Just make sure you do it right the first time. • Closing an AWS account - AWS Organizations (amazon.com) Andrew Alaniz @andrewdalaniz alaniz.io