By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Removing Stack Instances During Account Decommission

0

I'm looking for best practice guidance on removing accounts from Control Tower and dealing with stack instances. In my management account I have CfCT setup. If I understand correctly, I need to delete the Service Catalog product, move the account to a Suspended OU outside the scope of CfCT, and close the account. At that point, all stack instances from CT and CfCT will still remain and I should eventually remove them. My question is: do you need to remove these stack instances immediately to prevent errors in Control Tower or CfCT? Or can I remove these over an extended period (for example 7 days) of time without risk of errors as I continue to use CT/CfCT?

Topics
Management & Governance
Tags
AWS Control TowerAWS OrganizationsAWS Service CatalogAWS Account Management
Language
English
TSquared
asked a year ago446 views
3 Answers
1
Accepted Answer

It would be better to remove them immediately during the account decommissioning process. CfCT may throw errors if an account is listed in stack instances and it can't access the account (suspended or had the AWSControlTowerExecution role removed)

AWS
Roguen
answered a year ago
0

So it sounds like the best order of operations is to remove all stack sets from CT/CfCT prior to account closure. Or all together:

-Remove Service Catalog Product

-Move to suspended OU

-Delete any remaining Stack Instances

-Close account.

TSquared
answered a year ago
  • Roguen
    a year ago

    A few other steps that I think would be relevant with some added detail and a little re-ordering. For the most part I think you’ve got the idea though:

    -Move account to “Transitional” OU - or some OU that is outside of manifest OUs but within Control Tower governance. Do this by doing an update to the provisioned product in Service Catalog.

    -Rerun the CfCT pipeline, this action will delete StackSet instances deployed by CfCT from the account.

    -Terminate the provisioned Service Catalog product associated with the account to unmanage account from Control Tower. This action will also delete StackSet instances deployed by Control Tower from the account and also removes the Control Tower admin role.

    -Ensure all resources are shut down/deleted on the account (EC2, RDS, etc…).

    -Move to “Suspended” OU which is outside of both Control Tower control and CfCT manifest and has a deny * SCP attached

    --Leave in Suspended OU. Verify CfCT and StackSets are working properly.

    --Delete the account following this process: https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/

    --The account will be in suspend mode for 90 days before deletion.

  • TSquared
    a year ago

    Thank you for the very thorough response to this!

0

And removing them is just a manual process (or could be scripted)?

TSquared
answered a year ago
  • Roguen
    a year ago

    It could be manual, though it's just removing the stack instances from the StackSets, so could be scripted via CLI calls or other tooling.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content