How to leave AWS Organization with root access management after Landing Zone deployment

Introduction

The Control Tower Landing Zone is a starting point for organizations to quickly deploy workloads. However, the cleaning up process is not as quick as the deployment process, as it takes 90 days to completely close an AWS account that has been deployed by Control Tower using an existing email. Consequently, the management account in that AWS Organization cannot be used to deploy other Landing Zone for 90 days. To deal with this problem, this blog proposes a solution to make the management account available more quickly for other Landing Zone deployment, with the help of a new IAM feature called root access management.

Prerequisites

1. All accounts created by Control Tower Landing Zone must use existing emails.
2. The Landing Zone has been decommissioned. ## Implementation Step 1: In the Management Account, go to the IAM Dashboard. Then select Account settings on the left sidebar. Click the Enable button in the “Centralized root access for member accounts” section:

Step 2: Enter the account ID of an account within the Organization. This account will become the Delegated Administrator for the IAM service:

Step 3: In the IAM Dashboard, select the Root access management tab on the left sidebar. Select one account that is not delegated IAM administrator (in this case I choose the Production account) and choose "Take privileged action":

Step 4: Select “Allow password recovery”:

Step 5: Log in to the root account with the email haithe123123@yahoo.com (log in to your account), and receive "password reset requirement" notification:

Step 6: Click Forgot password then an email will be sent:

Step 7: Check the email (in my case, I check Yahoo):

Step 8: Click the link in the email and enter a new password:

Step 9: You will receive a new email notifying you that the account password has been successfully reset:

Step 10: Log in using the new password:

Step 11: Set up a payment method in the Billing Dashboard in the Payment Preferences section on the left sidebar. Click the Add payment method button:

Step 12: Enter the card information (😊) and enable “Set as default payment method”

Step 13: Fill in the remaining information (for legal purposes) and submit:

Step 14: Go to the Organization and leave by selecting “Leave this organization”:

Step 15: Confirm leaving

Step 16: The system will display an error. Click on the link to complete the account information:

Step 17: Enter the personal phone number

Step 18: AWS will call the phone number, switch to the keypad and enter the number provided on the browser screen

Step 19: After entering the number, the browser will redirect to support plan selection page. Select “Basic support – Free” and click “Complete sign up”:

Step 20: You can see the email about AWS Support Sign-Up Confirmation notification:

Step 21: Return to the account, go to the Organization, and select remove the account. You will be notified that it may take a few days:

or can successfully leave the Organization

Step 22: Repeat these steps for the remaining member accounts.

Eventually, you can close these member accounts, or use them as new management accounts in other unique AWS Organizations.