Suspended OU
The Suspended OU is used as a temporary holding area for accounts that are required to have their use suspended.
Moving an account to this OU does not automatically change the overall status of the account. For example, in cases where you intend to permanently stop using an account, you would follow the Closing an account process to permanently close the account.
Examples of using the Suspended OU include:
-
A person’s sandbox account is no longer needed due to the departure of the person from the company.
-
A workload account is no longer needed due to the resources having been either retired or migrated to another account.
Constraining activity in suspended accounts
You can use service control policies (SCPs) to inhibit users other than your security and cloud platform teams from using AWS APIs in each account. Additionally, you can remove application-level access so that users can no longer access and manage application resources for each suspended account.
To reduce risk and potentially minimize costs, you can also stop any running resources and applications in each suspended account.
Resources should not be deleted from a suspended account unless the account is intended to be closed.
Tagging suspended accounts
Because you might use the Suspended OU for a variety of use cases, we recommend that you apply tags to each account to record the reason for moving the account and the OU from where the account originated. Each process that you establish to support your suspension use cases can use the tag to automatically process the suspended accounts. This tag can also aid in your internal tracing and auditing of an account’s lifecycle.
Closing suspended accounts
If an account is moved to this OU prior to the start of the closure process, you can implement a policy and process to automatically start the account closing process a certain number of days after an account has been moved to this OU.
Once the account closure process has been completed, the account is no longer visible in your organization.
