By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Back out of Organisations and IAM Identity Center

0

I have a tiny startup with no need for Organisations or SSO functionality. I enabled it because the GUI strongly suggested I should, in fact, it might have said it was mandatory. It's been nothing but hassle. Lots of functionality simply isn't there, like generating credentials for CodeCommit. I couldn't activate AWSCodeCommitPowerUser by any means so I'm working with broad permissions. None of the tutorials have been updated, and most of the community seem unaware that IAM Identity Center and IAM are two different things, or that a user in one will not appear in the other. The data model is an accident waiting to happen in that you have to redundantly give users permissions even though they might get everything they need from a group they're in.

So I want to switch it off and revert to plain old IAM with no Organisations. I read some docs about this but it was not clear whether it was saying it would succeed or leave me in a totally dysfunctional state. I'd be quite happy to revert my whole account to a completely virgin state, but I want to use the same root account email.

So how do I either revert to plain old IAM or reset everything?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS OrganizationsAWS IAM Identity Center
Language
English
Adrian
asked 18 days ago339 views
2 Answers
0

Heres how https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html#delete-config

To delete your IAM Identity Center configuration

  1. Open the IAM Identity Center console.
  2. In the left navigation pane, choose Settings.
  3. On the Settings page, choose the Management tab.
  4. In the Delete IAM Identity Center configuration section, choose Delete.
  5. In the Delete IAM Identity Center configuration dialog, select each of the check boxes to acknowledge you understand that your data that will be deleted. Type your IAM Identity Center instance in the text box, and then choose Confirm.

Deleting an organization https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete.html

When you no longer need your organization, you can delete it. Deleting an organization does not close the management account, instead it removes the management account from the organization and deletes the organization itself. The former management account becomes a standalone AWS account that is no longer managed by AWS Organizations. You then have three options: You can continue to use it as a standalone account, you can use it to create a different organization, or you can accept an invitation from another organization to add the account to that organization as a member account.

To delete an organization https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete_procedure.html

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
  2. Before you can delete the organization, you must first remove all accounts from the organization. For more information, see Removing a member account from your organization.
  3. Navigate to the Settings page, and then choose Delete organization.
  4. In the Delete organization confirmation dialog box, enter the organization's ID which is displayed in the line above the text box. Then, choose Delete organization.

Important This operation does not close the management account but does return it to a standalone AWS account. To close the account, follow the steps at Closing a member account in your organization.

profile picture
EXPERT
Gary Mclean
answered 18 days ago
  • Adrian
    18 days ago

    That's not what I wanted though. I wanted to deactivate AWS Organisations and IAM Identity Centre itself.

0

The answer turns out to be to go to Organisations and delete the root organisation. It's not true that you should first delete all its accounts, in fact it isn't possible to delete it's "master" account. But when I just had that one account in the org and deleted the whole org, it had precisely the desired effect: the account now stands alone with IAM Identity Centre disabled and I can make IAM users, load my own public key into CodeCommit, use groups in the way you'd expect, and the world makes sense again.

Adrian
answered 18 days ago
  • Gary Mclean EXPERT
    18 days ago

    You have to remove "AWS" accounts from the ORG before you can delete an org. It doesnt reffer to user accounts. As you have 1 account you can directly delete the org

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content