Considerations before removing an account from an organization

You can remove an account from your organization only if the account has the information that is required for it to operate as a standalone account. When you create an account in an organization using the Amazon Organizations console, API, or Amazon CLI commands, all the information that is required of standalone accounts is not automatically collected. For each account that you want to make standalone, you must choose a support plan, provide and verify the required contact information, and provide a current payment method. Amazon uses the payment method to charge for any billable (not Amazon Free Tier) Amazon activity that occurs while the account isn't attached to an organization. To remove an account that doesn't yet have this information, follow the steps in Leave an organization from your member account.

To remove an account that you created in the organization, you must wait until at least seven days after the account was created. Invited accounts aren't subject to this waiting period.

At the moment the account successfully leaves the organization, the owner of the Amazon Web Services account becomes responsible for all new Amazon costs accrued, and the account's payment method is used. The management account of the organization is no longer responsible.

The account that you want to remove must not be a delegated administrator account for any Amazon service enabled for your organization. If the account is a delegated administrator, you must first change the delegated administrator account to another account that is remaining in the organization. For more information about how to disable or change the delegated administrator account for an Amazon service, see the documentation for that service.

Even after the removal of created accounts (accounts created using the Amazon Organizations console or the CreateAccount API) from within an organization, (i) created accounts are governed by the terms of the creating management account's agreement with us, and (ii) the creating management account remains jointly and severally liable for any actions taken by its created accounts. Customers' agreements with us, and the rights and obligations under those agreements, cannot be assigned or transferred without our prior consent. To obtain our consent, Contact Amazon.

When a member account leaves an organization, that account no longer has access to cost and usage data from the time range when the account was a member of the organization. However, the management account of the organization can still access the data. If the account rejoins the organization, the account can access that data again.

When a member account leaves an organization, all tags attached to the account are deleted.

When you remove a member account from the organization, any IAM role that was created to enable access by the organization's management account isn't automatically deleted. If you want to terminate this access from the former organization's management account, then you must manually delete the IAM role. For information about how to delete a role, see Deleting roles or instance profiles in the IAM User Guide.

The account is now responsible for paying its own charges and must have a valid payment method attached to the account.

The principals in the account are no longer affected by any policies that applied in the organization. This means that restrictions imposed by SCPs are gone, and the users and roles in the account might have more permissions than they had before. Other organization policy types can no longer be enforced or processed.

If you use the aws:PrincipalOrgID condition key in any policies to restrict access to only users and roles from Amazon Web Services accounts in your organization, then you should review, and possibly update these policies before removing the member account. If you don't update the policies, then users and roles in the account could lose access to the resources when the account leaves the organization.

Integration with other services might be disabled. If you remove an account from an organization that has integration with an Amazon service enabled, the users in that account can no longer use that service.