{"id":54050,"date":"2025-11-11T08:57:37","date_gmt":"2025-11-11T08:57:37","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=54050"},"modified":"2025-11-11T08:57:37","modified_gmt":"2025-11-11T08:57:37","slug":"aws-recommended-account-cleanup-and-closure-runbook","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/aws-recommended-account-cleanup-and-closure-runbook\/","title":{"rendered":"AWS-Recommended Account Cleanup and Closure Runbook"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>Phase 1 \u2013 Pre-Closure Assessment &amp; Planning<\/strong><\/h2>\n\n\n\n<p><strong>Goal:<\/strong> Confirm business need, identify cost and compliance impact before touching resources.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Inventory &amp; Cost Review<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate a <strong>complete cross-region inventory<\/strong> with:\n<ul class=\"wp-block-list\">\n<li><strong>AWS Resource Explorer<\/strong><\/li>\n\n\n\n<li><code>aws resourcegroupstaggingapi get-resources<\/code><\/li>\n\n\n\n<li><strong>AWS Config<\/strong> and <strong>Trusted Advisor<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Review <strong>Cost Explorer \u2192 Last 3 months<\/strong> for anomalies.<\/li>\n\n\n\n<li>List <strong>active Reserved Instances (RIs)<\/strong>, <strong>Savings Plans<\/strong>, and <strong>Marketplace subscriptions<\/strong>.<\/li>\n\n\n\n<li>Note any <strong>active Direct Connect<\/strong>, <strong>Dedicated Hosts<\/strong>, or <strong>Elastic IPs<\/strong> (common hidden cost centers).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. Stakeholder &amp; Compliance Approval<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm with application, finance, and compliance owners that the account can be retired.<\/li>\n\n\n\n<li>Document decision in your <strong>Org change log \/ Confluence \/ ticket<\/strong>.<\/li>\n\n\n\n<li>Capture last backup requirement or legal retention if any.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Phase 2 \u2013 Resource Cleanup (Recommended for Zero Residual Cost)<\/strong><\/h2>\n\n\n\n<p>While AWS allows closure without cleanup, <strong>costs persist until resources are deleted or RIs expire<\/strong>.<br>Clean up to prevent hidden post-closure billing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd39 Critical Items<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Category<\/th><th>Action<\/th><\/tr><\/thead><tbody><tr><td><strong>AWS Marketplace<\/strong><\/td><td>Cancel every subscription in [Marketplace \u2192 Manage Subscriptions]. Terminate instances that used marketplace AMIs.<\/td><\/tr><tr><td><strong>Reserved Instances &amp; Savings Plans<\/strong><\/td><td>These continue billing until expiry. Attempt transfer to another Org account via Support.<\/td><\/tr><tr><td><strong>Data Backups<\/strong><\/td><td>Export or snapshot any S3, RDS, EBS, ECR data you need. Then delete storage to stop meter accrual.<\/td><\/tr><tr><td><strong>Direct Connect &amp; Dedicated Resources<\/strong><\/td><td>Explicitly delete DX connections, private virtual interfaces, and dedicated hosts to stop <strong>port-hour charges<\/strong>.<\/td><\/tr><tr><td><strong>Other Persistent Costs<\/strong><\/td><td>Release Elastic IPs, delete NAT Gateways (\u2248 $0.045\/hr + data), and disable CloudWatch Logs retention if unneeded.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Phase 3 \u2013 Account Closure Execution<\/strong><\/h2>\n\n\n\n<p>You, as the <strong>Management Account Admin<\/strong>, can close member accounts in two AWS-supported ways:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Option 1 \u2013 Console<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Sign in as Management Account \u2192 <strong>AWS Organizations<\/strong><\/li>\n\n\n\n<li>Choose the target <strong>member account<\/strong><\/li>\n\n\n\n<li>Click <strong>Close account \u2192 Confirm<\/strong><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Option 2 \u2013 CLI (CloudShell)<\/strong><\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">aws organizations close-account --account-id <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">member-account-id<\/span>&gt;<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>AWS automatically:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Revokes IAM access for that member<\/li>\n\n\n\n<li>Marks it <strong>CLOSED<\/strong> in Organizations<\/li>\n\n\n\n<li>Freezes new resource creation<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Phase 4 \u2013 Post-Closure Monitoring<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You remain liable for all usage <strong>until the closure timestamp<\/strong>.<\/li>\n\n\n\n<li><strong>Final bill<\/strong> arrives the following month.<\/li>\n\n\n\n<li>RIs\/SPs <strong>continue<\/strong> billing until expiry.<\/li>\n\n\n\n<li>Account remains visible as <strong>\u201cCLOSED\u201d for 90 days<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Recovery<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Within 90 days \u2192 Contact AWS Support \u2192 Reopen.<\/li>\n\n\n\n<li>After 90 days \u2192 Permanent deletion (no recovery).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Phase 5 \u2013 Organization-Level Governance &amp; Prevention<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Control<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td><strong>Service Control Policies (SCPs)<\/strong><\/td><td>Block creation of cost-bearing resources in deprecated accounts or regions.<\/td><\/tr><tr><td><strong>Budgets &amp; Cost Anomaly Detection<\/strong><\/td><td>Catch stray spend early.<\/td><\/tr><tr><td><strong>AWS Config &amp; CloudTrail (Org scope)<\/strong><\/td><td>Track configuration and deletion compliance.<\/td><\/tr><tr><td><strong>Automated Cleanup Scripts<\/strong><\/td><td>Implement Lambda or Step Functions that auto-delete idle EBS, S3, EIPs.<\/td><\/tr><tr><td><strong>Lifecycle OU Structure<\/strong><\/td><td>Maintain \u201cActive\u201d, \u201cSandbox\u201d, and \u201cDecommissioned\u201d OUs for clear separation.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Recommended Timeline<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Week<\/th><th>Tasks<\/th><\/tr><\/thead><tbody><tr><td><strong>Immediate<\/strong><\/td><td>Audit account, identify Marketplace subs &amp; DirectConnect links.<\/td><\/tr><tr><td><strong>Week 1<\/strong><\/td><td>Back up critical data, cancel Marketplace subs.<\/td><\/tr><tr><td><strong>Week 2<\/strong><\/td><td>Delete resources \/ release IPs \/ terminate NAT Gateways.<\/td><\/tr><tr><td><strong>Week 3<\/strong><\/td><td>Verify zero usage \u2192 Close account via Organizations.<\/td><\/tr><tr><td><strong>Month After<\/strong><\/td><td>Review final bill &amp; ensure no unexpected charges.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Common Hidden Costs to Double-Check<\/strong><\/h2>\n\n\n\n<p>\u2705 NAT Gateways<br>\u2705 Elastic IPs (allocated but unused)<br>\u2705 CloudWatch Logs retention<br>\u2705 EBS Snapshots<br>\u2705 Direct Connect ports<br>\u2705 Active Savings Plans \/ RIs<br>\u2705 Marketplace licensing<br>\u2705 PrivateLink endpoints<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Official AWS References<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/docs.aws.amazon.com\/accounts\/latest\/reference\/manage-acct-close.html\" target=\"_blank\" rel=\"noopener\">Close an AWS Account \u2013 AWS Account Management Docs<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_manage_accounts_close.html\" target=\"_blank\" rel=\"noopener\">Closing a Member Account in AWS Organizations<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/aws.amazon.com\/blogs\/mt\/streamlining-aws-organizations-cleanup-strategies\/\" target=\"_blank\" rel=\"noopener\">Streamlining AWS Organizations Cleanup Strategies \u2013 AWS Cloud Ops Blog<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/repost.aws\/\" target=\"_blank\" rel=\"noopener\">AWS re:Post \u2013 Decommissioning an Organization Account<\/a><\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Final Action Plan (Summary)<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Audit &amp; Backup<\/strong> \u2192 Inventory, cancel Marketplace subs, note RIs\/SPs.<\/li>\n\n\n\n<li><strong>Clean Up Resources<\/strong> \u2192 Terminate compute, delete storage, remove DX links.<\/li>\n\n\n\n<li><strong>Verify Zero Spend<\/strong> \u2192 Check Cost Explorer &amp; Budgets.<\/li>\n\n\n\n<li><strong>Close Account<\/strong> via Organizations (console or CLI).<\/li>\n\n\n\n<li><strong>Monitor Final Bill<\/strong> &amp; ensure RIs\/SPs handled.<\/li>\n\n\n\n<li><strong>Apply Org-level SCPs &amp; budgets<\/strong> to avoid future waste.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phase 1 \u2013 Pre-Closure Assessment &amp; Planning Goal: Confirm business need, identify cost and compliance impact before touching resources. 1. Inventory &amp; Cost Review 2. Stakeholder &amp; Compliance Approval Phase&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-54050","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54050","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=54050"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54050\/revisions"}],"predecessor-version":[{"id":54051,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54050\/revisions\/54051"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=54050"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=54050"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=54050"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}