A big company has used AWS Organizations to manage its various AWS accounts by using several organization units. The organization master account is in charge of running the whole organization. One child AWS account belongs to the data analysis department. The company has recently made some organizational adjustments and needs to remove the data analysis department from the existing AWS Organizations. However, an error happened when the data analysis AWS administrator tried to leave the organization as a member account in the AWS console. Which below options are possible reasons for the failure? Select 2.

Answer options:

A.The member account was removed before the IAM user access to billing in the member account was enabled. This setting controls the access to Account Settings, Payment Methods, and Report pages.
B.The member account has bills that are already overdue for several days. All overdue bills need to be paid before the account is removed from the AWS Organizations.
C.The IAM user of the member account does not have the permission of “organizations:DescribeOrganization” or “organizations:LeaveOrganization” so that it is blocked by IAM policy.
D.Member account cannot leave AWS Organizations by itself. Instead, the root account can remove member account if it has “organizations:RemoveAccountFromOrganization” permission.

Correct Answer – A, C
 
According to https://docs.aws.amazon.com/organizations/latest/userguide/orgs_troubleshoot_general.html#troubleshoot_general_error-leaving-org, if an error happens when a member leaves an organization, two things need to be checked:
You can remove a member account only after enabling IAM user access to billing in the member account.
You can remove an account from your organization only if the account has the information required to operate as a standalone account.
For the IAM user access to billing settings, log in to the AWS console and modify that in “My account” -> “IAM User and Role Access to Billing Information”:
Other than this, there are some minimum IAM policy requirements for Leaving Organizations as a Member Account (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#orgs_manage_accounts_leave-as-member):
organizations:DescribeOrganization (console only).
organizations:LeaveOrganization – Note that the organization administrator can apply a policy to your account that removes this permission, preventing you from removing your account from the organization.
If you sign in as an IAM user and the account is missing payment information, the IAM user must have the permissions aws-portal:ModifyBilling and aws-portal:ModifyPaymentMethods.
Option A is CORRECT: Because this is a necessary step before leaving AWS Organizations.
Option B is incorrect: Because there is no such limitation for overdue bills.
Option C is CORRECT: Because in order to leave an AWS Organizations in console, organizations:DescribeOrganization and organizations:LeaveOrganization are required.
Option D is incorrect: Because the member account can leave AWS Organizations as long as it meets the above requirements.