Manage AWS Control Tower Resources

This document provides instructions for how to remove AWS Control Tower resources individually, as part of regular maintenance and administrative tasks. The procedures given in this chapter are intended only for removing individual resources, or a few resources, when needed. It not the same as decommissioning your landing zone.

Two types of tasks may require you to remove resources:

• To delete resources as you manage your landing zone in ordinary situations.

• To clean up resources that remain after automated decommissioning.

Warning

Manually removing resources will not allow you to set up a new landing zone. It is not the same as decommissioning. If you intend to decommission your AWS Control Tower landing zone, follow the instructions on Walkthrough: Decommission an AWS Control Tower Landing Zone before you take any actions described in this chapter. The instructions in this chapter can help you clean up resources that remain after automated decommissioning is complete. Even if you delete all of your landing zone resources manually, it is not the same as decommissioning the landing zone, and you may incur unexpected charges.

If you need to remove an account from AWS Control Tower, see the following sections to close an account:

• Unmanage an account

• Close an account created in Account Factory

Do I need decommissioning instead of deleting?

If you no longer intend to use AWS Control Tower for your enterprise, or if you require a major redeployment of your organizational resources, you may want to decommission the resources created when you initially set up your landing zone.

• After the decommissioning process is complete, a few resource artifacts remain, such as Amazon S3 buckets and Amazon CloudWatch Logs log groups.

• You must clean up the remaining resources in your accounts manually before you set up another landing zone, and to avoid the possibility of unexpected charges. For more information, see Resources not removed during decommissioning.

Warning

We strongly recommend that you perform a decommissioning process only if you intend to stop using your landing zone. This process cannot be undone.

About removing AWS Control Tower resources

The individual procedures in this chapter guide you through manual methods of removing AWS Control Tower resources. These procedures can be followed when you need to delete a specific resource from your landing zone.

Before performing these procedures, unless it's otherwise indicated, you must be signed in to the AWS Management Console in the home Region for your landing zone, and you must be signed in as an IAM user or user in IAM Identity Center with administrative permissions for the management account that contains your landing zone.

Warning

These are destructive actions that can introduce governance drift into your AWS Control Tower setup. They cannot be undone.

Topics

• Delete SCPs
• Delete StackSets and Stacks
• Delete Amazon S3 Buckets in the Log Archive Account
• Remove an Account Factory Portfolio and Product
• Remove AWS Control Tower Roles and Policies
• AWS Control Tower resource help

AWS Control Tower resource help

If you encounter any issues that you can't resolve when you remove AWS Control Tower resources, contact AWS Support.