# Multi-account strategy
**Topics**
+ [Migrate an AWS member account from AWS Organizations to AWS Control Tower](migrate-an-aws-member-account-from-aws-organizations-to-aws-control-tower.md)
+ [Set up alerts for programmatic account closures in AWS Organizations](set-up-alerts-for-programmatic-account-closures-in-aws-organizations.md)
+ [More patterns](multiaccountstrategy-more-patterns-pattern-list.md)
# Migrate an AWS member account from AWS Organizations to AWS Control Tower
*Rodolfo Jr. Cerrada, Amazon Web Services*
## Summary
This pattern describes how to migrate an AWS account from AWS Organizations, where it is a member account that's governed by a management account, to AWS Control Tower. By enrolling the account in AWS Control Tower, you can take advantage of preventive and detective controls and features that streamline your account governance. You might also want to migrate your member account if your AWS Organizations management account has been compromised, and you want to move member accounts to a new organization that is governed by AWS Control TowerAWS Control Tower.
AWS Control Tower provides a framework that combines and integrates the capabilities of several other AWS services, including AWS Organizations, and ensures consistent compliance and governance across your multi-account environment. With AWS Control Tower, you can follow a set of prescribed rules and definitions that extend the capabilities of AWS Organizations. For example, you can use controls to ensure that security logs and necessary cross-account access permissions are created, and not altered.
## Prerequisites and limitations
**Prerequisites **
+ An active AWS account
+ AWS Control Tower set up in your target organization in AWS Organizations (for instructions, see [Setting up](https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html) in the AWS Control Tower documentation)
+ Administrator credentials for AWS Control Tower (member of the **AWSControlTowerAdmins **group)
+ Administrator credentials for the source AWS account
**Limitations**
+ The source management account in AWS Organizations must be different from the target management account in AWS Control Tower.
**Product versions**
+ AWS Control Tower version 2.3 (February 2020) or later (see [release notes](https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.html))
## Architecture
The following diagram illustrates the migration process and reference architecture. This pattern migrates the AWS account from the source organization to a target organization that is governed by AWS Control Tower.
![\[AWS Control Tower enrollment process for an AWS account that's migrated to another organization and moved to a registered OU.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/1fc2c2f0-fa5d-4068-a2b2-9e57cea2aff5/images/0654d242-0faa-4810-9e53-40ef89305b5b.png)
The enrollment process consists of these steps:
1. The target organization sends an invitation for the account to join the organization.
1. The account accepts the invitation and becomes a member of the target organization.
1. The account is enrolled in AWS Control Tower and moved to a registered organizational unit (OU). (We recommend that you check the AWS Control Tower dashboard to confirm the enrollment.) At this point, all controls that are enabled in the registered OU take effect.
## Tools
**AWS services**
+ [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is an account management service that enables you to consolidate multiple AWS accounts into a single entity (an *organization*) that you create and centrally manage.
+ [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html) integrates the capabilities of other services, including AWS Organizations, AWS IAM Identity Center, and AWS Service Catalog, to help you enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud.
## Epics
### Invite the account to join the new organization with AWS Control Tower
| Task | Description | Skills required |
| --- | --- | --- |
| Sign in to AWS Control Tower. | Sign in to the AWS Control Tower console as an administrator. Currently, there is no direct way to move an AWS account from a source organization to an organization in an OU that's governed by AWS Control Tower. However, you can extend AWS Control Tower governance to an existing AWS account when you enroll it into an OU that's already governed by AWS Control Tower. That's why you have to log in to AWS Control Tower for this step. | AWS Control Tower administrator |
| Invite the member account. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/migrate-an-aws-member-account-from-aws-organizations-to-aws-control-tower.html)Verify that no applications or network connectivity will be affected by the account transfer.This action sends an invitation email with a link to the member account. When the account administrator follows the link and accepts the invitation, the member account appears in the **AWS accounts **page. For more information, see [Managing account invitations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html) in the AWS Organizations documentation. | AWS Control Tower administrator |
| Test applications and connectivity. | When the member account has been registered into the new organization, it appears in the OU within a root. It also appears in the [AWS Control Tower console](https://console.aws.amazon.com/controltower), flagged as not enrolled in accounts, because it hasn't yet been enrolled in the AWS Control Tower registered OU.Verify the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/migrate-an-aws-member-account-from-aws-organizations-to-aws-control-tower.html) | AWS Control Tower administrator, Member account administrator, Application owners |
### Prepare the account for enrollment
| Task | Description | Skills required |
| --- | --- | --- |
| Review controls and fix any violations. | Review the controls that are defined in the target OU, especially the preventive controls, and fix any violations. A number of [mandatory, preventive controls](https://docs.aws.amazon.com/controltower/latest/controlreference/preventive-controls.html) are enabled by default when you set up your AWS Control Tower landing zone. These can't be disabled. You must review these mandatory controls and fix the member account (manually or by using a script) before you enroll the account.Preventive controls keep AWS Control Tower registered accounts compliant and prevent policy violations. Any violation of preventive controls might affect enrollment. Detective control violations appear in the AWS Control Tower dashboard, if detected, after successful enrollment. They do not affect the enrollment process. For more information, see [About controls](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) in the AWS Control Tower documentation. | AWS Control Tower administrator, Member account administrator |
| Check for connectivity issues after fixing control violations. | In some cases, you might have to close specific ports or disable services to fix control violations. Make sure that applications that use those ports and services are remediated before you enroll the account. | Application owner |
### Enroll the account into AWS Control Tower
| Task | Description | Skills required |
| --- | --- | --- |
| Sign in to AWS Control Tower. | Sign in to the [AWS Control Tower console](https://console.aws.amazon.com/controltower). Use sign-in credentials that have administrative permissions for AWS Control Tower. Do not use the root user (management account) credentials to enroll an AWS Organizations account. This will display an error message. | AWS Control Tower administrator |
| Enroll the account. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/migrate-an-aws-member-account-from-aws-organizations-to-aws-control-tower.html)For more information, see [About enrolling existing accounts](https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html) in the AWS Control Tower documentation. | AWS Control Tower administrator |
### Verify the account after enrollment
| Task | Description | Skills required |
| --- | --- | --- |
| Verify the account. | From AWS Control Tower, choose **Accounts**. The account that you just enrolled has an initial state of **Enrolling**. When enrollment is complete, its state changes to **Enrolled**. | AWS Control Tower administrator, Member account administrator |
| Check for control violations. | Controls defined in the OU will automatically apply to the enrolled member account. Monitor the AWS Control Tower dashboard for violations and fix them accordingly. For more information, see [About controls](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) in the AWS Control Tower documentation. | AWS Control Tower administrator, Member account administrator |
## Troubleshooting
| Issue | Solution |
| --- | --- |
| You receive the error message: **An unknown error occurred. Try again later, or contact AWS Support.** | This error occurs when you use root user credentials (management account) in AWS Control Tower to enroll a new account. AWS Service Catalog can't map the Account Factory Portfolio or product to the root user, which results in the error message. To remediate this error, use non-root, full-access user (administrator) credentials to enroll the new account. For more information about how to assign administrative access to an administrative user, see [Getting started](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html) in the IAM Identity Center documentation. |
| The AWS Control Tower **Activities** page displays a **Get Catastrophic Drift** action. | This action reflects a drift check of the service and does not indicate any issues with the AWS Control Tower setup. No action is required. |
## Related resources
**Documentation**
+ [Terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) (AWS Organizations documentation)
+ [What is AWS Control Tower?](https://docs.aws.amazon.com/controltower/latest/userguide/) (AWS Control Tower documentation)
+ [Removing a member account from an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info) (AWS Organizations documentation)
+ [Setting up](https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html#setting-up-iam) (AWS Control Tower documentation)
**Tutorials and videos **
+ [AWS Control Tower workshop](https://catalog.workshops.aws/control-tower/) (self-paced workshop)
+ [What is AWS Control Tower?](https://www.youtube.com/watch?v=daLvEb44d5Q) (video)
+ [Provisioning Users in AWS Control Tower](https://www.youtube.com/watch?v=y_n9xN5mg1g) (video)
# Set up alerts for programmatic account closures in AWS Organizations
*Richard Milner-Watts, Debojit Bhadra, and Manav Yadav, Amazon Web Services*
## Summary
The [CloseAccount API](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) for [AWS Organizations](https://aws.amazon.com/organizations/) enables you to close member accounts within an organization programmatically, without having to log in to the account with root credentials. The [RemoveAccountFromOrganization API](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html) pulls an account out from an organization in AWS Organizations, so it becomes a standalone account.
These APIs potentially increase the number of operators who can close or remove an AWS account. All users who have access to the organization through AWS Identity and Access Management (IAM) in the AWS Organizations management account can call these APIs, so access isn’t limited to the owner of the account's root email with any associated multi-factor authentication (MFA) device.
This pattern implements alerts when the `CloseAccount` and `RemoveAccountFromOrganization` APIs are called, so you can monitor these activities. For alerts, it uses an [Amazon Simple Notification Service](https://aws.amazon.com/sns/) (Amazon SNS) topic. You can also set up Slack notifications through a [webhook](https://api.slack.com/messaging/webhooks).
## Prerequisites and limitations
**Prerequisites **
+ An active AWS account
+ An organization in AWS Organizations
+ Access to the organization management account, under the organization's root, to create the required resources
**Limitations **
+ As described in the [AWS Organizations API reference](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html), the `CloseAccount` API allows only 10 percent of active member accounts to be closed within a rolling 30-day period.
+ When an AWS account is closed, its status is changed to SUSPENDED. For 90 days after this status transition, AWS Support can reopen the account. After 90 days the account is permanently deleted.
+ Users who have access to the AWS Organizations management account and APIs might also have permissions to disable these alerts. If the primary concern is malicious behavior instead of accidental deletion, consider protecting the resources created by this pattern with an [IAM permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html).
+ The API calls for `CloseAccount `and `RemoveAccountFromOrganization` are processed in the US East (N. Virginia) Region (`us-east-1`). Therefore, you must deploy this solution in `us-east-1` in order to observe the events.
## Architecture
**Target technology stack **
+ AWS Organizations
+ AWS CloudTrail
+ Amazon EventBridge
+ AWS Lambda
+ Amazon SNS
**Target architecture **
The following diagram shows the solution architecture for this pattern.
![\[Architecture for setting up alerts in AWS Organizations for account closures\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/ba9d9db1-fab8-4e3b-a1bb-f0be91ade5c6/images/92caee55-2722-4ba2-bdd2-66f1af35dce5.png)
1. AWS Organizations processes a `CloseAccount` or `RemoveAccountFromOrganization` request.
1. Amazon EventBridge is integrated with AWS CloudTrail to deliver these events to the default event bus.
1. A custom Amazon EventBridge rule matches the AWS Organizations requests and calls an AWS Lambda function.
1. The Lambda function delivers a message to an SNS topic, which users can subscribe to for email alerts or further processing.
1. If Slack notifications are enabled, the Lambda function delivers a message to a Slack webhook.
## Tools
**AWS services**
+ [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) provides a way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code.
+ [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) is a serverless event bus service that you can use to connect your applications with data from a variety of sources. EventBridge receives an event, an indicator of a change in environment, and applies a rule to route the event to a target. Rules match events to targets based on either the structure of the event, called an *event pattern*, or on a schedule.
+ [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests each day to thousands each second. You pay only for the compute time that you consume. There is no charge when your code is not running.
+ [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all your accounts.
+ [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) monitors and records account activity across your AWS infrastructure, and gives you control over storage, analysis, and remediation actions.
+ [Amazon Simple Notification Service (Amazon SNS)](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.
**Other tools**
+ [AWS Lambda Powertools for Python library](https://docs.powertools.aws.dev/lambda/python/latest/) is a set of utilities that provide tracing, logging, metrics, and event handling features for Lambda functions.
**Code **
The code for this pattern is located in the GitHub [AWS Account Closer Notifier](https://github.com/aws-samples/aws-account-closure-notifier) repository.
The solution includes a CloudFormation template that deploys the architecture for this pattern. It uses the [AWS Lambda Powertools for Python library](https://docs.powertools.aws.dev/lambda/python/latest/) to provide logging and tracing.
## Epics
### Deploy the architecture
| Task | Description | Skills required |
| --- | --- | --- |
| Launch the CloudFormation template for the solution stack. | The CloudFormation template for this pattern is in the main branch of the [GitHub repository](https://github.com/aws-samples/aws-account-closure-notifier). It deploys the IAM roles, EventBridge rules, Lambda functions, and the SNS topic.To launch the template:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-alerts-for-programmatic-account-closures-in-aws-organizations.html)For more information about launching a CloudFormation stack, see the [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html). | AWS administrator |
| Verify that the solution has launched successfully. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-alerts-for-programmatic-account-closures-in-aws-organizations.html) | AWS administrator |
| Subscribe to the SNS topic. | (Optional) If you want to subscribe to the SNS topic:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-alerts-for-programmatic-account-closures-in-aws-organizations.html)For more information about setting up SNS notifications, see the [Amazon SNS documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/US_SetupSNS.html). | AWS administrator |
### Verify the solution
| Task | Description | Skills required |
| --- | --- | --- |
| Send a test event to the default event bus. | The [GitHub repository](https://github.com/aws-samples/aws-account-closure-notifier) provides a sample event that you can send to the EventBridge default event bus for testing. The EventBridge rule also reacts to events that use the custom event source `account.closure.notifier`.You can’t use the CloudTrail event source to send this event, because it’s not possible to send an event as an AWS service.To send a test event:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-alerts-for-programmatic-account-closures-in-aws-organizations.html) | AWS administrator |
| Verify that the email notification was received. | Check the mailbox that subscribed to the SNS topic for notifications. You should receive an email with details of the account that was closed and the principal that performed the API call. | AWS administrator |
| Verify that the Slack notification was received. | (Optional) If you specified a webhook URL for the `SlackWebhookEndpoint` parameter when you deployed the CloudFormation template, check the Slack channel that is mapped to the webhook. It should display a message with details of the account that was closed and the principal that performed the API call. | AWS administrator |
## Related resources
+ [CloseAccount action](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) (AWS Organizations API reference)
+ [RemoveAccountFromOrganization action](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html) (AWS Organizations API reference)
+ [AWS Lambda Powertools for Python](https://docs.powertools.aws.dev/lambda/python/latest/)
# More patterns
**Topics**
+ [Automate account creation by using the Landing Zone Accelerator on AWS](automate-account-creation-lza.md)
+ [Automate deletion of AWS CloudFormation stacks and associated resources](automate-deletion-cloudformation-stacks-associated-resources.md)
+ [Automate dynamic pipeline management for deploying hotfix solutions in Gitflow environments by using AWS Service Catalog and AWS CodePipeline](automate-dynamic-pipeline-management-for-deploying-hotfix-solutions.md)
+ [Build an enterprise data mesh with Amazon DataZone, AWS CDK, and AWS CloudFormation](build-enterprise-data-mesh-amazon-data-zone.md)
+ [Centralize monitoring by using Amazon CloudWatch Observability Access Manager](centralize-monitoring-by-using-amazon-cloudwatch-observability-access-manager.md)
+ [Govern permission sets for multiple accounts by using Account Factory for Terraform](govern-permission-sets-aft.md)
+ [Implement a Gitflow branching strategy for multi-account DevOps environments](implement-a-gitflow-branching-strategy-for-multi-account-devops-environments.md)
+ [Implement a GitHub Flow branching strategy for multi-account DevOps environments](implement-a-github-flow-branching-strategy-for-multi-account-devops-environments.md)
+ [Implement a Trunk branching strategy for multi-account DevOps environments](implement-a-trunk-branching-strategy-for-multi-account-devops-environments.md)
+ [Manage AWS permission sets dynamically by using Terraform](manage-aws-permission-sets-dynamically-by-using-terraform.md)
+ [Create a hierarchical, multi-Region IPAM architecture on AWS by using Terraform](multi-region-ipam-architecture.md)
+ [Set up CloudFormation drift detection in a multi-Region, multi-account organization](set-up-aws-cloudformation-drift-detection-in-a-multi-region-multi-account-organization.md)
+ [Set up DNS resolution for hybrid networks in a multi-account AWS environment](set-up-dns-resolution-for-hybrid-networks-in-a-multi-account-aws-environment.md)