Decommission an AWS account out of a Guardrails workspace
Turbot Guardrails natively allows a Guardrails administrator to remove an AWS account from a workspace. The delete action removes any associated policies and references in the Guardrails CMDB, but NO RESOURCES ARE DELETED FROM THE TARGET ACCOUNT. Careful consideration must be made when removing resources within the account, as once data is deleted, such as CloudTrail and logs in S3, it cannot be restored.
Before the delete process is started, administrators will want to determine if they would like to keep Guardrails-managed resources in the account, such as S3 buckets, or CloudTrail. The following policies can be set at the AWS account within the Guardrails workspace to facilitate cleanup. Be sure to verify that the exceptions are being set ONLY on the account that will be removed.
AWS > Turbot > Permissionsset to
Enforce: None. This will remove Guardrails-managed IAM policies, groups, roles and users.
AWS > Turbot > Audit Trailset to
Enforce: Not configured. This will remove the Guardrails-managed CloudTrail.
AWS > Turbot > Event Handlersset to
Enforce: Not configured. This will remove Guardrails-managed Cloudwatch Event Rules and SNS topics. Refer to the Event Handler documentation for additional context.
AWS > Turbot > Service Rolesset to
Enforce: Not configured. This will remove any Guardrails-managed IAM service roles.
AWS > Turbot > Logging > Bucketset to
Enforce: Not configured. This will remove Guardrails-managed logging S3 buckets. Note: Logging buckets cannot be deleted if they are not empty. Administrators can empty the bucket using the AWS console.
AWS > Turbot > Event Pollerto
Disabled. When event handlers are set to
Enforce: Not Configured, Polling is automatically enabled. It must be explicitly disabled. Note that full cleanup of event handler resources requires event pollers to still be active. Disable Event Pollers after verifying that all Event Handler infrastructure has been removed from the account.
Once the controls associated with the above policies have completed, the AWS account can be deleted from the Guardrails workspace. Any combination of the policies can be used to target specific resources while leaving important audit logging data available.
Steps to remove an account from Guardrails
Prior to performing the below steps, delete the policies
AWS > Account > Turbot IAM Role > External ID and
AWS > Account > Turbot IAM Role configured on the target account. Once they
have been removed, the account can be deleted from Guardrails.
- In the Guardrails console, navigate to the account that needs to be removed.
- Click the Delete button in the top right. If you do not see the delete button, reach out to your Guardrails workspace administrator for proper access.
- In the pop-up dialog box, copy the account ID and paste in the text box.
Delete. While this is not irreversible (simply reimport the account), it can be time and resource consuming. Be sure to double and triple check!
- Guardrails will begin the delete process. The time to complete the deletion will depend on the number of resources and policies that will be removed. The more resources that are being deleted, the longer the process will take.
A time-out error may occur when deleting an account; the delete function is a complex SQL transaction, and failures in referential integrity or other blocking/locking database activity can cause the delete to fail. Should the account delete transaction timeout, the Guardrails DB will roll back the transaction and the account remains in the workspace.
If an error message is encountered, ensure that AWS event handlers
for that account have been removed in all regions so no new transactions are incoming,
remove the policy settings at the account level that contain the security
credentials Guardrails uses to access the account, and try again. It may take
several attempts to delete the account. If the deletion error persists for more
than several hours after removing the event handlers, and you have verified that
no account activity is taking place in the
Activity tab, please open a ticket
with Turbot Support.