Scripted Unmanage of Control Tower Managed AWS Accounts prior to Closing


AWS best practice is to unmanage a member account before closing it. I can use the CloseAccount API to close the account, but the documentation is not clear on a scripted method to unmanage an AWS account.

The closest I can find is the aws servicecatalogue terminate-provisioned-product API but the terms unmanage and terminate appear to have different connotations

My use-case is to be able to fully close a Control Tower managed account inline with AWS best practises.

asked 2 years ago425 views
1 Answer
Accepted Answer


When you terminate the provisioned product in Service catalog (either through the console or the TerminateProvisionedProduct API), you are effectively un-managing the account.

Once you terminate the provisioned product, the account will show as "Not Enrolled" in Control Tower. You can then use the CloseAccount API to close the account. Once you do that, it will remain in the Suspended state for 90 days.

So if you were scripting this you can:

  1. Terminate the provisioned product via TerminateProvisionedProduct API
  2. Use DescribeRecord API to check the status of the above. Once fully terminated:
  3. Use CloseAccount API to close the account
profile pictureAWS
answered 2 years ago
  • Thanks thanks exactly the clarification I needed.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions