Removing a member account from your organization
Part of managing accounts in an organization is removing member accounts that you no longer need. This page describes what you need to know before removing an account and provides procedures for removing accounts.
For information on removing the management account (formerly known as the "master account"), see Deleting the organization by removing the management account.
Topics
Before removing an account from an organization
Before you remove an account, it's important to know the following:
-
You can remove an account from your organization only if the account has the information that is required for it to operate as a standalone account. When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, all the information that is required of standalone accounts is not automatically collected. For each account that you want to make standalone, you must choose a support plan, provide and verify the required contact information, and provide a current payment method. AWS uses the payment method to charge for any billable (not AWS Free Tier) AWS activity that occurs while the account isn't attached to an organization.
-
The account that you want to remove must not be a delegated administrator account for any AWS service enabled for your organization. If the account is a delegated administrator, you must first change the delegated administrator account to another account that is remaining in the organization. For more information about how to disable or change the delegated administrator account for an AWS service, see the documentation for that service
-
Even after the removal of created accounts (accounts created using the AWS Organizations console or the
CreateAccount
API) from within an organization, (i) created accounts are governed by the terms of the creating management account's agreement with us, and (ii) the creating management account remains jointly and severally liable for any actions taken by its created accounts. Customers' agreements with us, and the rights and obligations under those agreements, cannot be assigned or transferred without our prior consent. To obtain our consent, contact us at https://aws.amazon.com/contact-us/. -
When a member account leaves an organization, that account no longer has access to cost and usage data from the time range when the account was a member of the organization. However, the management account of the organization can still access the data. If the account rejoins the organization, the account can access that data again.
-
When a member account leaves an organization, all tags attached to the account are deleted.
Effects of removing an account from an organization
When you remove an account from an organization, no direct changes are made to the account. However, the following indirect effects occur:
-
The account is now responsible for paying its own charges and must have a valid payment method attached to the account.
-
The principals in the account are no longer affected by any policies that applied in the organization. This means that restrictions imposed by SCPs are gone, and the users and roles in the account might have more permissions than they had before. Other organization policy types can no longer enforced or processed.
-
Integration with other services might be disabled. For example, AWS Single Sign-On requires an organization to operate, so if you remove an account from an organization that supports AWS SSO, the users in that account can no longer use that service.
Removing a member account from your organization
When you sign in to the organization's management account, you can remove member accounts from the organization that you no longer need. To do this, complete the following procedure. These procedures apply only to member accounts. To remove the management account, you must delete the organization.
If a member account is removed from an organization, that member account will no
longer be covered by organization agreements. Management account administrators
should communicate this to member accounts before removing member accounts from the
organization, so that member accounts can put new agreements in place if necessary.
A list of active organization agreements can be viewed in AWS Artifact Organization Agreements
To remove one or more member accounts from your organization, you must sign in as an IAM user or role in the management account with the following permissions:
-
organizations:DescribeOrganization
(console only) -
organizations:RemoveAccountFromOrganization
If you choose to sign in as an IAM user or role in a member account in step 5, then that user or role must have the following permissions:
-
organizations:DescribeOrganization
(console only). -
organizations:LeaveOrganization
– Note that the organization administrator can apply a policy to your account that removes this permission, preventing you from removing your account from the organization. -
If you sign in as an IAM user and the account is missing payment information, the IAM user must have the permissions
aws-portal:ModifyBilling
andaws-portal:ModifyPaymentMethods
. Also, the member account must have IAM user access to billing enabled. If this isn't already enabled, see Activating Access to the Billing and Cost Management Console in the AWS Billing and Cost Management User Guide.
Leaving an organization as a member account
When signed in to a member account, you can remove that one account from its organization. To do this, complete the following procedure. The management account can't leave the organization using this technique. To remove the management account, you must delete the organization.
The account that you want to remove must not be a delegated administrator account for any AWS service enabled for your organization. If the account is a delegated administrator, you must first change the delegated administrator account to another account that is remaining in the organization. For more information about how to disable or change the delegated administrator account for an AWS service, see the documentation for that service
If you leave an organization, you are no longer covered by organization agreements
that were accepted on your behalf by the management account of the organization. You
can view a list of these organization agreements in AWS Artifact Organization Agreements
An account’s status with an organization affects what cost and usage data is visible:
-
If a member account leaves an organization and becomes a standalone account, the account no longer has access to cost and usage data from the time range when the account was a member of the organization. The account has access only to the data that is generated as a standalone account.
-
If a member account leaves organization A to join organization B, the account no longer has access to cost and usage data from the time range when the account was a member of organization A. The account has access only to the data that is generated as a member of organization B.
-
If an account rejoins an organization that it previously belonged to, the account regains access to its historical cost and usage data.
To leave an AWS organization, you must have the following permissions:
-
organizations:DescribeOrganization
(console only). -
organizations:LeaveOrganization
– Note that the organization administrator can apply a policy to your account that removes this permission, preventing you from removing your account from the organization. -
If you sign in as an IAM user and the account is missing payment information, the IAM user must have the permissions
aws-portal:ModifyBilling
andaws-portal:ModifyPaymentMethods
. Also, the member account must have IAM user access to billing enabled. If this isn't already enabled, see Activating Access to the Billing and Cost Management Console in the AWS Billing and Cost Management User Guide.