Closing Accounts
Have you ever had a scenario where you needed to close multiple AWS accounts?
This sometimes happens when projects end, companies merge, or strategies change.
AWS Organizations managment allows you to close accounts through the console or programatically and this is fine for small numbers but if your situation requires that you close a large number of accounts you may be rate limited or recieve an AccountClosureLimitReached error if you reach a quota.
The Quotas
You can close 10% of member accounts in an organization, with a maximum of 1000 within a rolling 30-day period. The current published quotas are:
- < 100 accounts – You can close up to 10 member accounts
- 100 – 10,000 accounts – You can close up to 10% of your member accounts
- > 10,000 accounts – You can close up to 1000 member accounts
Concurrency Limit: Only three account closures can be in progress at the same time.
Automating Closing With Step Functions
AWS Organizations does allow you to close an account programatically with their API but managing the quotas is left to the customer. There is no included way to queue accounts to be deleted when the quota next allows it.
I’ve developed a solution that uses Account Tags and a scheduled Step Function to mangage account closures. This allows target accounts to be closed by adding a tag organizations:account-closure with a value of REQUESTED.
The account closure step function will run once per day and attempt to delete any account with this tag until the account close limit is reached and retry each day until it succeeds and the tag value is changed to ACKNOWLEDGED.
Step Function Graph
Always Be Closing
Once the solution is deployed this capability can be used manually or as part of larger process. You no longer need track your quota to come back and close accounts the step function will allways be closing for you.
Solution Repo
I’ve published my solution in this Repo where you can find additional details and future updates.