Protecting member accounts from closure with AWS Organizations

If you want to protect a member account from accidental closure, you can create an IAM policy to specify which accounts are exempt from closure. Any member account protected with these policies can’t be closed. This can't be accomplished with an SCP, because they don't affect principals in the management account.

You can create an IAM policy that denies closing accounts in either of two ways:

Explicitly list each account that you want to protect in the policy by including the arn in the Resource element. To see an example, see Prevent member accounts listed in this policy from getting closed.
Tag individual accounts to prevent them from getting closed. Use the aws:ResourceTag tag global condition key in your policy to prevent any account with the tag from being closed. To learn how to tag an account, see Tagging Organizations resources. To see an example, see Prevent member accounts with tags from getting closed .

Example IAM policies that prevent member account closures

The following code examples show two different methods you can use to restrict member accounts from closing their account.

Prevent member accounts with tags from getting closed

You can attach the following policy to an identity in your management account. This policy prevents principals in the management account from closing any member account that is tagged with the aws:ResourceTag tag global condition key, the AccountType key and the Critical tag value.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PreventCloseAccountForTaggedAccts",
            "Effect": "Deny",
            "Action": "organizations:CloseAccount",
            "Resource": "*",
            "Condition": {
                "StringEquals": {"aws:ResourceTag/AccountType": "Critical"}
            }
        }
    ]
}

Prevent member accounts listed in this policy from getting closed

You can attach the following policy to an identity in your management account. This policy prevents principals in the management account from closing member accounts explicitly specified in the Resource element.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PreventCloseAccount",
            "Effect": "Deny",
            "Action": "organizations:CloseAccount",
            "Resource": [
                "arn:aws:organizations::555555555555:account/o-12345abcdef/123456789012",
                "arn:aws:organizations::555555555555:account/o-12345abcdef/123456789014"
            ]
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Closing a member account

Removing a member account