The Saga Continues
In my previous post, I shared my harrowing experience trying to deploy AWS Landing Zone with the Trusted Enclaves pattern. I ended that post stuck in what I called "Account Purgatory" - unable to remove suspended accounts from my organization, blocking any further progress.
Well, good news! After much trial and error (and several more AWS support tickets), I've finally escaped! Here's how I managed to exorcise those stubborn accounts and get back on track.
The Solution: Root Access and The Magical Obscure Link
The key to removing accounts from an AWS Organization isn't documented prominently anywhere I could find. After days of frustration, here's what finally worked:
Step 1: Recover Root Access to Child Accounts
First, I needed to access each child account as the root user:
- For each account, I needed the email address used during creation
- I had to initiate password recovery for each root account
- Set a new root password for each account
Step 2: The Obscure Link - The Only Thing You Really Need
Here's the crucial discovery: In the AWS documentation about removing member accounts, there's an easily missed link labeled simply "this link" buried in the text.
The link appears in this section:
We recommend that you sign in to the member account by choosing Copy link, and then pasting it into the address bar of a new incognito browser window. If you do not see Copy link, use this link to go the Sign up for AWS page and complete the missing registration steps.
This mysterious "this link" is all you actually need! When clicked while logged in as the root user of a child account, it takes you to a special page that will automatically prompt you for all required information, including:
- Payment method details
- Support plan selection (Basic is free)
- Phone verification
- Any other missing account verification steps
You don't need to manually navigate to the billing console or payment preferences first - this link will guide you through everything required to make the account eligible to leave the organization.
Step 3: Finally Leaving the Organization
After completing the steps via "the link," you can then:
- From the child account (still logged in as root)
- Navigate to AWS Organizations
- Select "Leave Organization"
- Confirm your choice
Step 4: Don't Forget to Close the Account!
Lastly, don't forget to close that account once it's disconnected from the organization. Now that it's a standalone account with your payment method attached, it will start accruing charges for any resources left running.
Why Is This So Complicated?
The process is designed this way for good reason - to ensure accounts have everything they need to operate independently before leaving an organization. But the documentation and user experience could certainly be improved.
The biggest issue is that AWS doesn't clearly indicate what's missing from an account. You're just left with cryptic error messages like "The account cannot be removed because it's missing required information."
Lessons Learned
Beyond the technical steps, here are the key takeaways from this experience:
AWS Organization account management is intricate - Understand the full lifecycle before creating or removing accounts.
Documentation has gaps - Sometimes the most crucial information is buried in obscure places or missing entirely.
Share Your Experiences
Have you gone through similar struggles with AWS Organizations or Landing Zone? I'd love to hear your stories and any additional tips you might have!