Closing an AWS Landing Zone Provisioned Account

This article is a part of my Landing Zone series. View the first of the series here: AWS Control Tower: Beginning of the Adventure.

To properly clean up Landing Zone resources created by Control Tower and avoid unexpected behavior, the AWS account should be unmanaged first before it is closed. The unexpected behavior is described in AWS official doc Closing an account:

“If you close a member account without first unmanaging it, AWS Control Tower shows the account’s status as Suspended, but also as Enrolled. As a result, if you attempt to Re-register the account’s OU during that 90-day time, AWS Control Tower produces an error message.”

Before proceeding, prepare the root user credentials for the AWS account you want to close.

Unmanage the Account

Login to the root Landing Zone account with administrator access; and go to Service Catalog. Select Provisioned products. You will see a list of accounts that are managed by Control Tower.

Select the account that you wish to unmanage; then choose Terminate from the Actions menu on the top right corner of the page.

Type terminate into the field to confirm then push the Terminate provisioned product button. You can close the prompt and wait for the status to change to Not Enrolled or for the account to disappear from the list.

Close the Account

Login to the unmanaged AWS account using the registered root user credentials: https://console.aws.amazon.com/console/home. The root user is the Account Email that you used during the creation of the account in the Control Tower Account Factory.

On the upper right corner, select the account name, then choose Account. At the bottom of the page, is the section for closing the account. Check all the boxes, and choose Close Account. Confirm the closing of the account when prompt. You can still login to the account and restore it up to 90 days, but you have to re-enroll the account in Control Tower.