Closing a member account in your organization
If you no longer need a member account in your organization, you can close it from the
AWS Organizations console
You can also close an AWS account directly from the Account page
To close a management account, see Closing a management account in your organization.
How to close a member account
When you sign in to the organization's management account, you can close member accounts that are part of your organization. To do this, complete the following steps.
Important
Before you close your member account, we highly recommend that you review considerations and understand the impact for closing an account. For more information, see What you need to know before closing your account and What to expect after you close your account in the AWS Account Management Guide.
Protecting member accounts from closure
If you want to protect a member account from accidental closure, you can create an IAM policy to specify which accounts are exempt from closure. Any member account protected with these policies can’t be closed. This can't be accomplished with an SCP, because they don't affect principals in the management account.
You can create an IAM policy that denies closing accounts in either of two ways:
-
Explicitly list each account that you want to protect in the policy by including the
arn
in theResource
element. To see an example, see Prevent member accounts listed in this policy from getting closed. -
Tag individual accounts to prevent them from getting closed. Use the
aws:ResourceTag
tag global condition key in your policy to prevent any account with the tag from being closed. To learn how to tag an account, see Tagging Organizations resources. To see an example, see Prevent member accounts with tags from getting closed .
Example IAM policies that prevent member account closures
The following code examples show two different methods you can use to restrict member accounts from closing their account.
Prevent member accounts with tags from getting closed
You can attach the following policy to an identity in your management account.
This policy prevents principals in the management account from closing any
member account that is tagged with the aws:ResourceTag
tag global
condition key, the AccountType
key and the Critical
tag value.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PreventCloseAccountForTaggedAccts", "Effect": "Deny", "Action": "organizations:CloseAccount", "Resource": "*", "Condition": { "StringEquals": {"aws:ResourceTag/AccountType": "Critical"} } } ] }
Prevent member accounts listed in this policy from getting closed
You can attach the following policy to an identity in your management account.
This policy prevents principals in the management account from closing member
accounts explicitly specified in the Resource
element.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PreventCloseAccount", "Effect": "Deny", "Action": "organizations:CloseAccount", "Resource": [ "arn:aws:organizations::555555555555:account/o-12345abcdef/123456789012", "arn:aws:organizations::555555555555:account/o-12345abcdef/123456789014" ] } ] }