Moving an AWS account between AWS Organizations is a well-defined process. AWS provides guidance on this. When the account is being moved from a Stax-managed AWS Organization to another AWS Organization, there are additional considerations.
For guidance in moving an AWS account to a Stax-managed AWS Organization, see Onboard an AWS Account to Stax.
Before you begin
- Ensure you are a member of the Admin role in your Stax tenancy
- Familiarize yourself with your organization's account ownership model. This is important when validating which steps should be performed as part of this procedure
Customer-Owned Management Account
If your management account is customer-owned, you can migrate the account by following the AWS guidance with one additional step. You must first raise a support case disclosing your intention to migrate the AWS account out of the Stax-managed AWS organization.
Once the case is raised, access the AWS organization's management account and remove the AWS account from the Stax-managed organizational unit (OU). Once removed from the OU, Stax's protections will no longer be applied to the account.
After this task is completed, you may perform the AWS-prescribed tasks to migrate the account to the new AWS Organization. You may need to change the account's email address in this process.
Reseller-Owned Management Account
If your management account is reseller-owned, you must work with the reseller to migrate the account. If Stax is not your reseller, you must also raise a support case disclosing your intention to migrate the AWS account out of the Stax-managed AWS Organization.
The Stax support team will work with you and your reseller to remove the account from the Stax-managed AWS organization.
Once the account is removed from the AWS Organization, you should:
- Advise Stax Support via the existing support case that you have removed the AWS account from the organization. Stax will no longer attempt to monitor or manage the AWS account once this advice has been received and processed
- Modify the OrganizationAccountAccessRole IAM Role, replacing the old organization management account ID with the new organization's management account ID
- Remove remaining resources that grant Stax permissions to monitor and manage the account. The below listed CloudFormation stacks contain IAM roles that should be removed. Consider your Stax Installation Region's AWS region when determining the region that stacks exist in.
Resource Name Resource Type Region stax-Provisioning CloudFormation Stack Stax Installation Region stax-spotlight-service-role CloudFormation Stack Stax Installation Region stax-idp CloudFormation Stack Stax Installation Region stax-admin-idp CloudFormation Stack Stax Installation Region stax-stackset-member-role CloudFormation Stack Stax Installation Region stax-aws-support-events CloudFormation Stack us-east-1