Leave an organization from a
member account with AWS Organizations
When you sign in to a member account, you can leave an organization. The management account can't leave the organization using this
technique. To remove the management account, you must delete the organization.
Considerations
An account’s status with an organization affects what cost and usage data is visible
If a member account leaves an organization and becomes a standalone account,
the account no longer has access to cost and usage data from the time range when the account was a member of the organization.
The account has access only to the data that is generated as a standalone account.
If a member account leaves organization A to join organization B, the account no longer has access to cost and usage data from the time range when the account
was a member of organization A. The account has access only to the data that is generated as a member of organization B.
If an account rejoins an organization that it previously belonged to, the account regains access to its historical cost and usage data.
The account is no longer covered by organization agreements that were accepted on its behalf
If you leave an organization, you are no longer covered by organization agreements
that were accepted on your behalf by the management account of the organization. You
can view a list of these organization agreements in the AWS Artifact console on the AWS Artifact Organization Agreements page. Before leaving the organization,
you should determine (with the assistance of your legal, privacy, or compliance
teams where appropriate) whether it is necessary for you to have new agreement(s) in
place.
Leave an organization from a member account
To leave an organization, complete the following procedure.
To leave an organization, you must have the following permissions:
-
organizations:DescribeOrganization
– required only when using the Organizations console.
-
organizations:LeaveOrganization
– Note that the
organization administrator can apply a policy to your account that removes
this permission, preventing you from removing your account from the
organization.
-
If you sign in as an IAM user and the account is missing payment
information, the user must have either aws-portal:ModifyBilling
and aws-portal:ModifyPaymentMethods
permissions (if the account
has not yet migrated to fine-grained permissions) OR
payments:CreatePaymentInstrument
and
payments:UpdatePaymentPreferences
permissions (if the
account has migrated to fine-grained permissions). Also, the member account
must have IAM user access to billing enabled. If this isn't already
enabled, see Activating Access to the Billing and Cost Management Console in
the AWS Billing User Guide.
- AWS Management Console
-
To leave an organization from your member account
-
Sign in to the AWS Organizations console at AWS Organizations console. You must sign in as an
IAM user, assume an IAM role, or sign in as the root user (not
recommended) in a member account.
By default, you don't have access to the root user password in a
member account that was created using AWS Organizations. If required, recover
the root user password by following the steps at Accessing a member account as the
root user with AWS Organizations.
-
On the Organizations Dashboard page, choose Leave this
organization.
-
In the Confirm leaving the organization?
dialog box, choose Leave organization. When
prompted, confirm your choice to remove the account. After you have confirmed,
you are redirected to the Getting Started page
of the AWS Organizations console, where you can view any pending invitations
for your account to join other organizations.
If you see a You can't leave the organization
yet message, your account doesn't have all the
required information to operate as a standalone account. If this is
the case, proceed to the next step.
-
If the Confirm leaving the organization?
dialog box displays the message You can't leave the
organization yet, choose the Complete the
account sign-up steps link.
If you do not see the Complete the
account sign-up steps link,
use this link
to go the Sign up for AWS page complete the missing registration steps.
-
On the Sign up for AWS page, enter all of
the required information necessary for this to become a standalone
account. This might include the following types of
information:
-
When you see the dialog box stating that the sign-up process is
complete, choose Leave organization.
A confirmation dialog box appears. Confirm your choice to remove
the account. You are redirected to the Getting
Started page of the AWS Organizations console, where you can
view any pending invitations for your account to join other
organizations.
-
Remove the IAM roles that grant access to your account from the
organization.
If your account was created in the organization, then Organizations
automatically created an IAM role in the account that enabled
access by the organization's management account. If the account
was invited to join, then Organizations did not automatically create such
a role, but you or another administrator might have created one
to get the same benefits. In either case, when you remove the
account from the organization, any such role isn't automatically
deleted. If you want to terminate this access from the former
organization's management account, then you must manually delete
this IAM role. For information about how to delete a role, see
Deleting
roles or instance profiles in the
IAM User Guide.
- AWS CLI & AWS SDKs
-
To leave an organization as a member account
You can use one of the following commands to leave an
organization:
-
AWS CLI: leave-organization
The following example causes the account whose credentials are
used to run the command to leave the organization.
$
aws organizations leave-organization
This command produces no output when successful.
-
AWS SDKs: LeaveOrganization
After the member account has left the organization, make sure to remove
the IAM roles that grant access to your account from the
organization.
If your account was created in the organization, then Organizations
automatically created an IAM role in the account that enabled access
by the organization's management account. If the account was invited to
join, then Organizations did not automatically create such a role, but you or
another administrator might have created one to get the same benefits.
In either case, when you remove the account from the organization, any
such role isn't automatically deleted. If you want to terminate this
access from the former organization's management account, then you must
manually delete this IAM role. For information about how to delete a
role, see Deleting roles or
instance profiles in the
IAM User Guide.
Member accounts can also be removed by a user in the management account
with remove-account-from-organization instead. For more information,
see Remove a member account
from an organization.