How To Remove An Account From AWS Organization
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In last couple of blogs, we had discussed how to create an organization, add members to the organization, create organizational unit and move accounts from one OU to another.
https://cloudaffaire.com/how-to-create-an-organization-in-aws/
https://cloudaffaire.com/how-to-create-an-organizational-unit-using-aws-cli/
In today’s blog post, we will do something destructive and cover below points –
- How to move an account from one child organizational unit to another child organizational unit.
- How to rename an organizational unit.
- How to delete an organizational unit.
- How to remove a member account from AWS organization
- How to delete an Organization in AWS
Warning: Deleting an organization is irreversible operation. This blog is for learning purpose only. Do not attempt to repro this without fully aware of the consequences.
If you are following this series, then you should have an organization structure similar to below.
Prerequisites:
- Three active AWS account with admin access.
- AWS organization created and two member accounts added.
- AWS CLI installed and configured with admin access to each account.
I have already configured three AWS CLI profile for each account as below
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
## AWS CLI configuration cat .aws/credentials [management] aws_access_key_id = aws_secret_access_key = [member1] aws_access_key_id = aws_secret_access_key = [member2] aws_access_key_id = aws_secret_access_key = cat .aws/config [management] region = ap-south-1 output = json [member1] region = ap-south-1 output = json [member2] region = ap-south-1 output = json aws sts get-caller-identity --profile management aws sts get-caller-identity --profile member1 aws sts get-caller-identity --profile member2 |
You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
How To Move An Account From One Organizational Unit To Another Organizational Unit Using AWS CLI:
Here we will move the member2 account which is under regulatory OU to Foundation OU (refer the above diagram)
Step 1: Capture details for your Organization.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
## Get details on your organization aws organizations describe-organization \ --profile management ## Get all the accounts details for your organization aws organizations list-accounts \ --profile management ## Get OU ID ## Get your Root OU ID ROOT_OU_ID=$(aws organizations list-roots \ --profile management | jq -r .Roots[0].Id) && echo $ROOT_OU_ID ## Get your Foundation OU ID FOUNDATION_OU_ID=$(aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $ROOT_OU_ID \ --profile management | jq -r .Children[0].Id) && echo $FOUNDATION_OU_ID ## Get your Regulatory OU ID REGULATORY_OU_ID=$(aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $FOUNDATION_OU_ID \ --profile management | jq -r .Children[0].Id) && echo $REGULATORY_OU_ID ## Get Account ID for each OU ## Get Management Account ID MANAGEMENT_ACC_ID=$(aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $ROOT_OU_ID \ --profile management | jq -r .Children[0].Id ) && echo $MANAGEMENT_ACC_ID ## Get Member1 Account ID Under Foundation OU MEMBER1_ACC_ID=$(aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $FOUNDATION_OU_ID \ --profile management | jq -r .Children[0].Id ) && echo $MEMBER1_ACC_ID ## Get Member2 Account ID Under Regulatory OU MEMBER2_ACC_ID=$(aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $REGULATORY_OU_ID \ --profile management | jq -r .Children[0].Id ) && echo $MEMBER2_ACC_ID |
Step 2: Move Member2 account from Regulatory OU to Foundation OU
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
## Move Member2 account from Regulatory OU to Foundation OU aws organizations move-account \ --account-id $MEMBER2_ACC_ID \ --source-parent-id $REGULATORY_OU_ID \ --destination-parent-id $FOUNDATION_OU_ID \ --profile management ## Check accounts detail under Foundation and Regulatory OU aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $FOUNDATION_OU_ID \ --profile management aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $REGULATORY_OU_ID \ --profile management ## Observe Foundation OU has two accounst now and ## Regulatory OU does not have any accounts as we moved it |
How To Rename An Organizational Unit Using AWS CLI:
Step 3: Rename an Organizational Unit in AWS using AWS CLI
|
1 2 3 4 5 |
## Rename Regulatory OU to Standalone OU aws organizations update-organizational-unit \ --organizational-unit-id $REGULATORY_OU_ID \ --name Standalone && STANDALONE=$REGULATORY_OU_ID |
How To Delete An Organizational Unit Using AWS CLI:
Step 4: Delete Standalone OU
|
1 2 3 4 |
## Delete Standalone OU aws organizations delete-organizational-unit \ --organizational-unit-id $STANDALONE \ --profile management |
How to remove a member account from AWS organization:
A member account can be removed from AWS Organization in two ways –
- You can remove the member account from management account directly
- Or you can raise a leave request from member account to management account
We will cover both 😊
Step 5: Remove a member account from AWS Organization
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
## Remove a member account from Organization (1st Method) aws organizations remove-account-from-organization \ --account-id $MEMBER2_ACC_ID \ --profile management ## Remove a member account from Organization (2nd Method) aws organizations leave-organization \ --profile member1 ## Check accounts under Foundation OU (there should none!) aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $FOUNDATION_OU_ID \ --profile management |
How To Delete An Organization In AWS Using AWS CLI:
Step 6: Delete an AWS Organization
|
1 2 3 |
## Delete an Organization aws organizations delete-organization \ --profile management |
Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation
https://docs.aws.amazon.com/organizations/index.html