How to delete AWS Account from Control Tower even if you don’t have root access?

How to delete AWS Account from Control Tower even if you don’t have root access?

Working within the AWS environment can often prove to be challenging and, at times, quite frustrating. One of my significant sources of frustration is AWS Control Tower. While it may initially appear straightforward, delving deeper into its functionalities reveals a level of complexity that can catch you off guard. However, it does come with a notable advantage – AWS Control Tower offers efficient management of your organizational units (OUs) directly from your AWS root account.

Having complete control over your organization’s AWS accounts empowers you to take actions such as suspending and closing unused AWS accounts. It’s crucial to exercise extreme caution in this regard and ensure that your AWS root account is fortified with robust security measures. A compromised root account could result in severe consequences.

In this guide, I will walk you through the steps of permanently deleting AWS account from the AWS platform, including the removal of all associated resources within that single account.

Before starting tampering with account deletion I suggest you to create a separate Organizational Unit (OU) in AWS Control Tower and name it “SUSPENDED” or something like that.

The problem is that account is not deleted right away. It will be suspended for 90 (!) days and all that time it will be a part of your AWS Organization. This might be a problem, especially if you use Cloudformation stack sets or Service Control Policies to configure accounts in your Organization.

So before deleting the account you want to be gone – move it first to separate SUSPENDED OU. You can do it from root account of your Organization in AWS console.

Go to AWS Control Tower and click on account you want to delete, click on it and press “Update account”

Then choose your newly created Organizational unit and press “Update account”

Wait until account move is finished. You will see a green “Enrolled” status when it is done.

Congratulations! You may continue!

The trickiest part is that you can’t remove it using Control Tower service.

Go to AWS Organizations instead! Find your account there, then click on it and Voila! “Close” button appears. Press it!

Then tick all the ticks, confirm account number and close it for good.

Like I said, it will be still part of your Organization for 90 more days in “pending closure” status. But in 90 days it will be permanently deleted. Congratulations! You did it!