Resources not removed during decommissioning - AWS Control Tower

Resources not removed during decommissioning

Decommissioning a landing zone does not fully reverse the AWS Control Tower setup process. Certain resources remain, which may be removed manually.

AWS Organizations

For customers without existing AWS Organizations organizations, AWS Control Tower sets up an organization with two organizational units (OUs), named Security and Sandbox. When you decommission your landing zone, the hierarchy of the organization is preserved, as follows:

  • Organizational Units (OUs) you created from the AWS Control Tower console are not removed.

  • The Security and Sandbox OUs are not removed.

  • The organization is not deleted from AWS Organizations.

  • No accounts in AWS Organizations (shared, provisioned, or management) are moved or removed.

AWS IAM Identity Center (SSO)

For customers without an existing IAM Identity Center directory, AWS Control Tower sets up IAM Identity Center and configures an initial directory. When you decommission your landing zone, AWS Control Tower makes no changes to IAM Identity Center. If needed, you can delete the IAM Identity Center information stored in your management account manually. In particular, these areas are unchanged by decommissioning:

  • Users created with Account Factory are not removed.

  • Groups created by AWS Control Tower setup are not removed.

  • Permission sets created by AWS Control Tower are not removed.

  • Associations between AWS accounts and IAM Identity Center permission sets are not removed.

  • IAM Identity Center directories are not changed.

Roles

During setup, AWS Control Tower creates certain roles for you if you use the console, or it asks you to create these roles if you set up your landing zone through the APIs. When you decommission your landing zone, the following roles are not removed:

  • AWSControlTowerAdmin

  • AWSControlTowerCloudTrailRole

  • AWSControlTowerStackSetRole

  • AWSControlTowerConfigAggregatorRoleForOrganizations

Amazon S3 Buckets

During setup, AWS Control Tower creates buckets in the logging account for logging and for logging access. When you decommission your landing zone, the following resources are not removed:

  • Logging and logging access S3 buckets in the logging account are not removed.

  • Contents of the logging and logging access buckets are not removed.

Shared Accounts

Two shared accounts (Audit and Log Archive) are created in the Security OU during AWS Control Tower setup. When you decommission your landing zone:

  • Shared accounts that were created during AWS Control Tower setup are not closed.

  • The OrganizationAccountAccessRole IAM role is recreated to align with standard AWS Organizations configuration.

  • The AWSControlTowerExecution role is removed.

Provisioned Accounts

AWS Control Tower customers can use account factory to create new AWS accounts. When you decommission your landing zone:

  • Provisioned accounts you created with Account Factory are not closed.

  • Provisioned products in AWS Service Catalog are not removed. If you clean those up by terminating them, their accounts are moved into the Root OU.

  • The VPC that AWS Control Tower created is not removed, and the associated AWS CloudFormation stack set (BP_ACCOUNT_FACTORY_VPC) is not removed.

  • The OrganizationAccountAccessRole IAM role is recreated to align with standard AWS Organizations configuration.

  • The AWSControlTowerExecution role is removed.

CloudWatch Logs Log Group

A CloudWatch Logs log group, aws-controltower/CloudTrailLogs, is created as part of the blueprint named AWSControlTowerBP-BASELINE-CLOUDTRAIL-MANAGEMENT. This log group is not removed. Instead, the blueprint is deleted and the resources are retained.

  • This log group must be deleted manually before you set up another landing zone.

Note

Customers on landing zone 3.0 and later do not need to delete their individual enrolled account’s CloudTrail logs and CloudTrail logs roles, because these are created in the management account only, for the organization-level trail.

Beginning with landing zone version 3.2, AWS Control Tower creates an EventBridge rule, called AWSControlTowerManagedRule. This rule is created in each member account, for all governed Regions. The rule is not deleted automatically during decommissioning, so you must delete it manually from the shared and member accounts for all governed Regions before you can set up a landing zone in a new Region.

Procedures for how to delete AWS Control Tower resources are given in Manage AWS Control Tower Resources.