A landing zone, typically set up using AWS Control Tower, is a well-architected, multi-account AWS environment that is scalable and secure. AWS Control Tower automates the configuration of the landing zone following AWS best practices, which include networking settings, identity and access management (IAM) policies, logging and monitoring settings, and security guardrails. Decommissioning an AWS Control Tower landing zone is a complex task that involves shutting down a multi-account AWS environment while ensuring no critical resources or data are lost.

In this post, I will walk through the necessary steps to decommission a landing zone focusing on key considerations for ensuring compliance, security, and cost management.

Overview

Decommissioning a landing zone involves dismantling the foundational AWS environment that was created when you set up AWS Control Tower. Before decommissioning your landing zone, it is important that you have a plan for migrating your existing resources and data to a new environment, either to a different AWS account or a different landing zone, and you have taken steps to back up any important data in the event that it needs to be restored. If any data needs to be retained for compliance or other reasons, you will need to archive it in a secure and easily accessible location.

Once you have completed your migration and data archiving, you want to ensure that all resources and services in your AWS accounts have been fully removed to avoid incurring unnecessary charges. You need to check that all resources in each account, for example VPC NAT gateways, EC2 instances, EBS snapshots, S3 buckets, and RDS backups, have been deleted. If any resources are no longer needed, terminate and delete them.

You can then disable and decommission your Control Tower landing zone. This will remove all of the resources and settings associated with your landing zone, and will permanently delete your AWS Control Tower environment. After decommissioning the landing zone, you may want to keep an eye on your AWS billing to verify that all charges associated with the landing zone and AWS accounts have been fully removed and no unexpected charges are being incurred.

Overall, decommissioning your landing zone requires careful planning and execution to ensure that your data is backed up and that your resources are migrated to a new environment without interruption.

Key steps in decommissioning AWS landing zone

1. Obtain management account root credentials

Before starting the decommission process, you need to have the root credentials of your management (master) account. This will allow you to carry out operations such as closing management account and deleting resources across the organisation. You are unable to close the AWS management account with an AWS Identity and Access Management (IAM) user or role.

If you forget your root user password, you can reset the password using the AWS Management console with these steps:

1. Open the AWS Management Console - https://console.aws.amazon.com/
2. You will land on the account-specific IAM user sign-in page by default, choose Sign in using root user email near the bottom of the page.
3. Select Root user and enter your AWS account root user email address (this is the email used to create the AWS account), and then choose Next.
4. Choose Forgot password?.
5. Provide the CAPTCHA text and select Send email.
6. An email with a link to reset your password will be sent. Follow the instructions in the email.

If you no longer have access to the email, try to recover access to the email address or set up a “catch-all” email address through your email administrators. Failing to do so, you could try to contact AWS Support for help.

2. Sign in to your member accounts and back up resources

You need to sign in to your organisation member accounts and back up any resources or data that you want to keep. You could leverage AWS services such as AWS Transfer Family and AWS Data Sync for your data migration.

You should be able to get to your member accounts through the IAM Identity Center (SSO) login, or alternatively an IAM user or the root user account. By default, member accounts created with AWS Organizations do not have a root password so you need to reset the root user password for these accounts ¹. You can follow the procedure to reset root user password in the previous step.

If you need to update the root user email address for a member account, follow the steps from the AWS documentation.

3. Check and terminate active resources

Closing your AWS account might not automatically terminate all your active (billable) resources so you might continue to incur charges for some of your resources.

To check what billable resources you have in your accounts, you can use the AWS Billing and Cost Management console in your management (payer) account. Your AWS monthly billing details list totals for all accounts if you enabled the consolidated billing feature in AWS Organizations.

1. Open the Billing and Cost Management console.
2. Choose Bills in the navigation pane on the left side.
3. Select the Charges by Service tab and expand each service to see which AWS Regions where the services incur charges.
4. Choose a previous month from the dropdown list to view the charges.
5. Note down the services that have billable resources for the current and previous billing periods.

You must terminate the resources in those Regions that you have allocated resources. Refer to this AWS re:Post guide for more details on how to remove active resources no longer needed in your AWS account.

If your AWS resources were not deployed using infrastructure-as-code tools such as Terraform or CloudFormation, you will have to use the AWS Management Console to open the service console or AWS CLI to terminate the identified resources under different services.

You could utilise AWS Resource Groups to find resources to be terminated.

1. Open the AWS Resource Groups console.
2. In the navigation pane, on the left side of the screen, choose Tag Editor.
3. For Regions, choose All regions.
4. For Resource types, choose All supported resource types.
5. Choose Search resources.

Review the search results to see if there are any resources on the account that you want to terminate.

You need to repeat the steps to check and terminate the resources for each AWS account. Depending on the number of accounts you need to close, this can be a tedious process. If you want an easy and quick way, there are some open-source tools that you can use to simply delete all the resources in an AWS account.

• aws-nuke
• cloud-nuke

As the name implies, use at your own risk.

If you have Reserved Instances (EC2, RDS, Redshift, ElastiCache), then your monthly charges will continue for the RI subscriptions. The subscriptions will not be cancelled until the subscription plan term ends.

You can list your Reserved Instances for sale on the EC2 Reserved Instance Marketplace. For more information, see Sell Reserved Instances for Amazon EC2 in the Reserved Instance Marketplace.

Active AWS Marketplace subscriptions are not automatically cancelled when you close your account. You must first terminate all instances of your software in the subscriptions. Then, cancel subscriptions on the Manage subscriptions page of the AWS Marketplace console.

4. Unmanage accounts from Control Tower

Prior to decommissioning the landing zone, it is recommended to unmanage the enrolled accounts from AWS Control Tower. When you unmanage an account, the account will be removed from the governance of Control Tower while keeping it operational.

To unmanage an account from the AWS Control Tower console:

1. Open the AWS Control Tower console.
2. On the Organization page, find and select the name of the account you want to unmanage.
3. Click the Actions dropdown, and choose Unmanage under Account list of actions.
4. A dialog appears, explaining the action you are about to perform, with a required confirmation process.
5. To confirm, type “UNMANAGE” and then click Unmanage account to deprovision the account.

The account will be removed from the AWS Service Catalog provisioned products (AWS Control Tower Account Factory), moved to the root OU and un-enrolled from Control Tower.

If you do not unmanage the accounts, you will need to manually remove the provisioned accounts from the Service Catalog after the accounts have been permanently deleted.

5. Decommission the landing zone

Decommissioning your landing zone will disable AWS Control Tower and dismantle the multi-account setup. The decommissioning process cannot be undone. The process will permanently remove resources created during Control Tower setup.

Refer to the AWS Control Tower documentation - Overview of the decommissioning process - for a list of actions performed by AWS Control Tower during decommissioning.

To decommission your AWS Control Tower landing zone, follow these steps:

1. Open the AWS Control Tower console.
2. Navigate to the Landing zone settings page and then select the Decommission tab.
3. Choose Decommission landing zone within the Decommission your landing zone section.
4. A dialog appears, explaining the action you are about to perform, with a required confirmation process.
5. You must check every box and type “DECOMMISSION” to confirm the decommissioning, and select Decommission landing zone.

After confirming, you will be redirected to the AWS Control Tower home page while decommissioning is in progress, which may take up to two hours.

When the landing zone decommissioning succeeded, certain resources are not automatically deleted including:

• AWS Organizations: Organisational units created in AWS Control Tower will remain intact, including Security and Sandbox OUs.
• IAM Identity Center Resources: Users, groups, and permission sets associated with Account Factory or Control Tower setup must be manually deleted.
• Roles: Control Tower creates certain roles for you during the setup. When you decommission the landing zone, the following roles are not removed: AWSControlTowerAdmin, AWSControlTowerCloudTrailRole, AWSControlTowerStackSetRole, AWSControlTowerConfigAggregatorRoleForOrganizations
• Shared Accounts: Two shared accounts (Audit and Log Archive) created during the Control Tower setup process are not deleted.
• Provisioned Accounts: Provisioned account created with Account Factory are not closed. Any accounts created manually and enrolled are not closed.
• S3 Buckets: The S3 buckets and contents for logging and logging access in the logging account created by Control Tower are not removed.
• CloudWatch Logs Log Group: Log group aws-controltower/CloudTrailLogs associated with Control Tower are not automatically deleted.

You must manually delete all these resources to avoid possible costs, and if you want to set up another landing zone. For more information, see About removing AWS Control Tower resources.

Note: If you intend to set up a new landing zone in a new AWS Region, follow these additional steps.

• Enter the following command through the CLI: aws organizations disable-aws-service-access --service-principal controltower.amazonaws.com
• If your landing zone version is 3.2 or newer, delete the remaining managed rule, called AWSControlTowerManagedRule, from shared and member accounts for all governed Regions. AWSControlTowerManagedRule is an Amazon EventBridge rule.

6. Close member AWS accounts

Once you have cleaned up all resources in your AWS accounts, you can proceed to close the accounts.

You can close member accounts using AWS Organizations if your organization is in All features mode. AWS Organizations in Consolidated billing mode will not be able to use the Close button in the AWS Organizations console.

You can close only 10% of member accounts in an organisation, with a maximum of 1000, within a rolling 30 days period. The guideline as follows:

• < 100 accounts – You can close up to 10 member accounts
• 100 - 10,000 accounts – You can close up to 10% of your member accounts

• 10,000 accounts – You can close up to 1000 member accounts

This quota is not bound by a calendar month but starts when you close an account. After you reach the quota limit, you can close additional accounts using the Account page or wait for your quota resets after the 30 days period.

To close a member account from the AWS Organizations console:

1. Open the AWS Organizations console.
2. On the AWS accounts page, find and select the name of the member account you want to close.
3. Click the Actions dropdown, and choose Close under AWS account list of actions.
4. Read and ensure that you understand the account closure guidance.
5. Enter the member account ID, and then choose Close account to initiate the closure process.

You should receive an email confirmation that your account has been closed. If the account has a multi-factor authentication (MFA) device turned on, keep your MFA device until the 90 days post-closure period expires, or remove the MFA device before closing the account.

There is a limit of only three (3) account closures can be in progress at the same time. You need to wait for one to finish before you can close another account. You can use the AWS CLI or AWS SDK to do this programmatically.

Note: If you want to use the same email address that was associated with your closed account to create a new AWS account, you need to update it before closing the account. See Updating the root user email address for a member account with AWS Organizations for instructions on updating your email address.

To close your member account using the Account page, you will need to use the account root user credentials.

1. Sign in to the AWS Management Console as the root user of the member account.
2. On the navigation bar in the upper-right corner, choose your account name or number, and choose Account.
3. On the Account page, click the Close Account button.
4. Type your account ID to confirm that you have read and understand the account closure process.
5. Choose the Close account button to initiate the closure process.

You should receive an email confirmation that your account has been closed.

7. Close the management (payer) AWS account

The last step is to close the management (payer) account. You cannot close a management account directly from the AWS Organizations console. Also, you cannot use the AWS CLI or SDKs to perform this task. It can only be done using the AWS Management Console unfortunately.

Keep in mind that all member accounts in an organisation must be closed (in SUSPENDED state) first before the payer account can be closed. You do not need to remove the member accounts from the organisation. Your management account needs a valid credit card, debit card, or other payment method in order to close the account.

To close your management account, do the following:

1. Sign in to the AWS Management Console as the root user of the management account.
2. On the navigation bar in the upper-right corner, choose your account name or number, and then choose Account.
3. On the Account page, click the Close account button.
4. Type your account ID to confirm that you have read and understand the account closure process.
5. Choose the Close account button to initiate the closure process.

You should receive an email confirmation that your account has been closed.

Additional information

After closing your AWS account

You will receive the final bill the following month for all the outstanding fees and charges for the services consumed before closing your account. For example, if you closed your account on January 15, you will receive a bill at the beginning of February for usage incurred from January 1-15. Your designated payment method is charged for any usage fees that you incurred.

Note that if you subscribe to a Savings Plan, you will continue to be charged for the compute usage until the subscription plan term ends.

To view and pay your outstanding AWS bills:

1. Open the Billing and Cost Management console.
2. In the navigation pane, choose Payments. You can see your overdue payments in the Payments due section.
3. If there are outstanding invoices, select the invoice that you want to pay, and then choose Complete payment.
4. On the Complete a payment page, your default payment method is selected if it is eligible for you to use to pay the invoice.
5. Confirm that the summary matches what you want to pay, and choose Verify and pay.

Within the 90 days post-closure period, you can still sign in to your account to check billing information, pay bills, and contact AWS Support. You can reopen your closed account within 90 days but the charges will restart for any AWS services that you did not terminate before you closed the account. After 90 days, AWS permanently deletes any content remaining in your account, and shuts down any AWS services that were not terminated.

You cannot permanently delete your account before 90 days. You cannot reopen the account after 90 days. And, you cannot use the same email address that was associated with your closed account to create new AWS account. If you want to use the same email address for a different AWS account, you need to update it before closing the account. See Update the AWS account name, email address, or password for the root user for instructions on updating your email address.

Conclusion

Decommissioning an AWS Control Tower landing zone requires careful planning, from resource termination to ensuring compliance with your organisational policies. By following these steps, you can securely and efficiently decommission your AWS environment, removing unexpected costs and minimising risks.

References

• AWS Control Tower Decommissioning Guide
• Check for active resources
• How to reset root password
• Close AWS account