Leave an organization from your member account - Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Leave an organization from your member account

When you sign in to a member account, you can remove that one account from its organization. To do this, complete the following procedure. This procedure applies only to member accounts. The management account can't leave the organization using this technique. To remove the management account, you must delete the organization.

Note

An account’s status with an organization affects what cost and usage data is visible:

  • If a member account leaves an organization and becomes a standalone account, the account no longer has access to cost and usage data from the time range when the account was a member of the organization. The account has access only to the data that is generated as a standalone account.

  • If a member account leaves organization A to join organization B, the account no longer has access to cost and usage data from the time range when the account was a member of organization A. The account has access only to the data that is generated as a member of organization B.

  • If an account rejoins an organization that it previously belonged to, the account regains access to its historical cost and usage data.

Important

If you leave an organization, you are no longer covered by organization agreements that were accepted on your behalf by the management account of the organization. You can view a list of these organization agreements in the Amazon Artifact console on the Amazon Artifact Organization Agreements page. Before leaving the organization, you should determine (with the assistance of your legal, privacy, or compliance teams where appropriate) whether it is necessary for you to have new agreement(s) in place.

Minimum permissions

To leave an Amazon organization, you must have the following permissions:

  • organizations:DescribeOrganization – required only when using the Organizations console.

  • organizations:LeaveOrganization – Note that the organization administrator can apply a policy to your account that removes this permission, preventing you from removing your account from the organization.

  • If you sign in as an IAM user and the account is missing payment information, the user must have either aws-portal:ModifyBilling and aws-portal:ModifyPaymentMethods permissions (if the account has not yet migrated to fine-grained permissions) OR payments:CreatePaymentInstrument and payments:UpdatePaymentPreferences permissions (if the account has migrated to fine-grained permissions). Also, the member account must have IAM user access to billing enabled. If this isn't already enabled, see Activating Access to the Billing and Cost Management Console in the Amazon Billing User Guide.

Amazon Web Services Management Console
To leave an organization from your member account

  1. Sign in to the Amazon Organizations console at Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in a member account.

    By default, you don't have access to the root user password in a member account that was created using Amazon Organizations. If required, recover the root user password by following the steps at Accessing a member account as the root user.

  2. On the Organizations Dashboard page, choose Leave this organization.

  3. In the Confirm leaving the organization? dialog box, choose Leave organization. When prompted, confirm your choice to remove the account. Once confirmed, you are redirected to the Getting Started page of the Amazon Organizations console, where you can view any pending invitations for your account to join other organizations.

    If you see a You can't leave the organization yet message, your account doesn't have all the required information to operate as a standalone account. If this is the case, proceed to the next step.

  4. If the Confirm leaving the organization? dialog box displays the message You can't leave the organization yet, choose the Complete the account sign-up steps link.

  5. On the Sign up for Amazon page, enter all of the required information necessary for this to become a standalone account. This might include the following types of information:

    • Contact name and address

    • Valid payment method

    • Phone number verification

    • Support plan options

  6. When you see the dialog box stating that the sign-up process is complete, choose Leave organization.

    A confirmation dialog box appears. Confirm your choice to remove the account. You are redirected to the Getting Started page of the Amazon Organizations console, where you can view any pending invitations for your account to join other organizations.

  7. Remove the IAM roles that grant access to your account from the organization.

    Important

    If your account was created in the organization, then Organizations automatically created an IAM role in the account that enabled access by the organization's management account. If the account was invited to join, then Organizations did not automatically create such a role, but you or another administrator might have created one to get the same benefits. In either case, when you remove the account from the organization, any such role isn't automatically deleted. If you want to terminate this access from the former organization's management account, then you must manually delete this IAM role. For information about how to delete a role, see Deleting roles or instance profiles in the IAM User Guide.

Amazon CLI & Amazon SDKs
To leave an organization as a member account

You can use one of the following commands to leave an organization:

  • Amazon CLI: leave-organization

    The following example causes the account whose credentials are used to run the command to leave the organization.

    $ aws organizations leave-organization

    This command produces no output when successful.

  • Amazon SDKs: LeaveOrganization

After the member account has left the organization, make sure to remove the IAM roles that grant access to your account from the organization.

Important

If your account was created in the organization, then Organizations automatically created an IAM role in the account that enabled access by the organization's management account. If the account was invited to join, then Organizations did not automatically create such a role, but you or another administrator might have created one to get the same benefits. In either case, when you remove the account from the organization, any such role isn't automatically deleted. If you want to terminate this access from the former organization's management account, then you must manually delete this IAM role. For information about how to delete a role, see Deleting roles or instance profiles in the IAM User Guide.

Member accounts can also be removed by a user in the management account with remove-account-from-organization instead. For more information, see Remove a member account from your organization.