3 個答案
- 最新
- 最多得票
- 最多評論
1
It would be better to remove them immediately during the account decommissioning process. CfCT may throw errors if an account is listed in stack instances and it can't access the account (suspended or had the AWSControlTowerExecution role removed)
已回答 1 年前
0
So it sounds like the best order of operations is to remove all stack sets from CT/CfCT prior to account closure. Or all together:
-Remove Service Catalog Product
-Move to suspended OU
-Delete any remaining Stack Instances
-Close account.
已回答 1 年前
0
And removing them is just a manual process (or could be scripted)?
已回答 1 年前
It could be manual, though it's just removing the stack instances from the StackSets, so could be scripted via CLI calls or other tooling.
相關內容
- 已提問 1 年前
- 已提問 7 個月前
AWS 官方已更新 1 年前
A few other steps that I think would be relevant with some added detail and a little re-ordering. For the most part I think you’ve got the idea though:
-Move account to “Transitional” OU - or some OU that is outside of manifest OUs but within Control Tower governance. Do this by doing an update to the provisioned product in Service Catalog.
-Rerun the CfCT pipeline, this action will delete StackSet instances deployed by CfCT from the account.
-Terminate the provisioned Service Catalog product associated with the account to unmanage account from Control Tower. This action will also delete StackSet instances deployed by Control Tower from the account and also removes the Control Tower admin role.
-Ensure all resources are shut down/deleted on the account (EC2, RDS, etc…).
-Move to “Suspended” OU which is outside of both Control Tower control and CfCT manifest and has a deny * SCP attached
--Leave in Suspended OU. Verify CfCT and StackSets are working properly.
--Delete the account following this process: https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/
--The account will be in suspend mode for 90 days before deletion.
Thank you for the very thorough response to this!