5

How can I remove an enrolled account from AWS Control Tower? After removing a member account from AWS organization (in the master account), it still appears in Control Tower as "not found".

Removed member account listed as not found in Control Tower (I have not enough reputation points to post images directly)

How can I remove the member account from Control Tower?

mulles3008
  • 553
  • 5
  • 12
  • 1
    Just found the answer: https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html#unmanage-account. I'm embarrassed. Make sure to unmanage the enrolled account before closing it, otherwise it will not work. – mulles3008 May 04 '20 at 00:35

2 Answers2

7

Step 1: Terminate the Provisioned Product that launched, created or enrolled the member account, from the Service Catalog Console. This process is also known as unmanaging an account from Control Tower. When you terminate an Account Factory account in AWS Service Catalog, the account is not closed. This action removes the account from its OU and your landing zone.

https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html?icmpid=docs_ctower_console#unmanage-account

Step 2: Remove the member account from the AWS Organization. In order to remove the account from the organization, it needs to be able to operate as a standalone one. Hence, it is necessary to complete the sign-up steps.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html

Step 3: Login to the AWS member account with Root credentials and close it To close an account, you must be signed in as the AWS account’s root user.

https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/

Dragan Rakita
  • 71
  • 1
  • 3
1

You need to terminate the provisioned product from the Service Catalog. Control Tower uses Account Factory which uses Service Catalog to create new account. This process is done by launching a Service catalog product. If you already closed the account via Organization or with its root login, you can go to Service Catalog console and Terminate the provisioned product for that account and then the account will disappear from Control Tower dashboard.

ExploringApple
  • 1,348
  • 2
  • 17
  • 30
  • it doesn't disappear, but gets `tainted` in service catalog – Varun Chandak Apr 07 '21 at 05:07
  • Have you found a way to remove the account completely? Even if I start with the Service Catalog termination, it still gets stuck in "Tainted". – Chris Jun 20 '21 at 10:47
  • 1
    @Chris if you close the member account there is no way to to remove the record from Service catalog because the management account loses access to it. If you havent closed the member account, then check for the error message. If you have ControlTower still deployed, the member account must have AWSControlTowerExecution IAM role to work. If the member account is closed, then just raise a support ticket to remove the product record from Service Catalog. – ExploringApple Jun 21 '21 at 12:10