Manual cleanup tasks required after decommissioning - AWS Control Tower

Manual cleanup tasks required after decommissioning

This section lists manual cleanup tasks you must perform after the initial decommissioning step.

  • You must specify different email addresses for the Log archive and Audit accounts if you create a new landing zone after decommissioning one, or follow the procedure for bringing your own existing Log archive or Audit accounts.

  • The CloudWatch Logs log group, aws-controltower/CloudTrailLogs, must be deleted manually before you set up another landing zone.

  • The two Amazon S3 buckets with reserved names for logs must be removed, or renamed, manually.

  • You must delete, or rename, the existing Security and Sandbox organizational units manually.

    Note

    Before you can delete the AWS Control Tower Security OU organization, you must first delete the logging and audit accounts, but not the management account. To delete these accounts, you must When to sign in as a root user to the audit account and to the logging account and delete them individually.

  • You may wish to delete the AWS IAM Identity Center (IAM Identity Center) configuration for AWS Control Tower manually, but you can proceed with the existing IAM Identity Center configuration.

  • You may wish to remove the VPC created by AWS Control Tower, and remove the associated AWS CloudFormation stack set.

  • Before you can set up a new landing zone in a new AWS Region, you must follow these additional steps.

    • Enter the following command through the CLI:

      aws organizations disable-aws-service-access --service-principal controltower.amazonaws.com

    • Delete the remaining managed rule, called AWSControlTowerManagedRule, from the shared and member accounts for all governed Regions. AWSControlTowerManagedRule is an Amazon EventBridge rule.