AWS CloudWatch Scheduled Event and Lambda Function
Question
A big company has used AWS Organizations to manage its various AWS accounts by using several organization units.
The organization master account is in charge of running the whole organization.
One child AWS account belongs to the data analysis department.
The company has recently made some organizational adjustments and needs to remove the data analysis department from the existing AWS Organizations.
However, an error happened when the data analysis AWS administrator tried to leave the organization as a member account in the AWS console.
Which below options are possible reasons for the failure? Select 2.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A, C.
According to https://docs.aws.amazon.com/organizations/latest/userguide/orgs_troubleshoot_general.html#troubleshoot_general_error-leaving-org, if an error happens when a member leaves an organization, two things need to be checked:
You can remove a member account only after enabling IAM user access to billing in the member account.
You can remove an account from your organization only if the account has the information required to operate as a standalone account.
For the IAM user access to billing settings, log in to the AWS console and modify that in “My account” -> “IAM User and Role Access to Billing Information”:
Other than this, there are some minimum IAM policy requirements for Leaving Organizations as a Member Account (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#orgs_manage_accounts_leave-as-member):
organizations:DescribeOrganization (console only).
organizations:LeaveOrganization - Note that the organization administrator can apply a policy to your account that removes this permission, preventing you from removing your account from the organization.
If you sign in as an IAM user and the account is missing payment information, the IAM user must have the permissions aws-portal:ModifyBilling and aws-portal:ModifyPaymentMethods.
Option A is CORRECT: Because this is a necessary step before leaving AWS Organizations.
Option B is incorrect: Because there is no such limitation for overdue bills.
Option C is CORRECT: Because in order to leave an AWS Organizations in console, organizations:DescribeOrganization and organizations:LeaveOrganization are required.
Option D is incorrect: Because the member account can leave AWS Organizations as long as it meets the above requirements.
AWS Organizations is a service that helps to centrally manage and govern multiple AWS accounts. It allows an organization to create separate accounts for different teams, projects, or applications, and manage them under a single master account. AWS Organizations provides various features such as consolidated billing, access control, and policy enforcement across member accounts.
In this scenario, the company has used AWS Organizations to manage its AWS accounts, and the data analysis department has a child account. Due to some organizational adjustments, the company wants to remove the data analysis department from AWS Organizations.
When a member account tries to leave an AWS organization, several checks are performed before the account is removed from the organization. If any of these checks fail, the account cannot leave the organization, and an error occurs.
The possible reasons for the failure of the data analysis department's AWS account to leave the organization are:
A. The member account was removed before the IAM user access to billing in the member account was enabled. This setting controls the access to Account Settings, Payment Methods, and Report pages.
Before an AWS account can leave an organization, the IAM user of that account needs to have access to the billing information of the account. This access can be granted by enabling the "IAM user access to billing information" option in the billing and cost management console. If this option is not enabled, the member account cannot leave the organization, and an error occurs.
B. The member account has bills that are already overdue for several days. All overdue bills need to be paid before the account is removed from the AWS Organizations.
If a member account has overdue bills, it cannot leave the organization until all the bills are paid. This is because the master account is responsible for paying the bills of all member accounts under the organization. If any account has overdue bills, the master account cannot remove it from the organization until the bills are paid.
C. The IAM user of the member account does not have the permission of “organizations:DescribeOrganization” or “organizations:LeaveOrganization” so that it is blocked by IAM policy.
The IAM user of the member account needs to have the necessary permissions to leave the organization. If the IAM policy attached to the user does not allow the "organizations:DescribeOrganization" or "organizations:LeaveOrganization" actions, the member account cannot leave the organization.
D. Member account cannot leave AWS Organizations by itself. Instead, the root account can remove member account if it has “organizations:RemoveAccountFromOrganization” permission.
A member account cannot leave the organization by itself. Instead, the root account of the organization needs to remove the member account using the "organizations:RemoveAccountFromOrganization" permission. If the IAM user of the member account does not have this permission, the member account cannot leave the organization.
In conclusion, the possible reasons for the failure of the data analysis department's AWS account to leave the organization are related to access to billing information, overdue bills, IAM permissions, and the need for the root account to remove the member account. The appropriate steps need to be taken to address these issues before the member account can leave the organization.