AWS Suspect Organization Exit

View all detections
AWS Suspect Organization Exit


  • An AWS control-plane API was invoked in an attempt to leave the AWS Organization in which the target account is a member.

Possible Root Causes

  • An attacker is attempting to leave the AWS organization in which the target account is a member. This is done in order to evade restrictions and disrupt logging visibility.
  • An administrator or automated task is performing authorized account migration activities.

Business Impact

  • An attacker who is able to hinder the defenses of their victim also has the ability to evade detection.
  • If an attacker is able to successfully remove a targeted AWS account from its AWS Organization:
    - Guardrails such as Service Control Policies (SCP) will be lifted leading to an increased risk of malicious activity in the account.
    - Logging may be interrupted and as a result there would be at an increased risk of malicious activity in the account going unnoticed.

Steps to Verify

  • Investigate the Principal which performed the actions for other signs of malicious activity. • Review security policy to determine if the removing the Member Account from the Organization is allowed.
  • If review indicates possible malicious actions or high-risk modifications:
    - Disable credentials associated with this alert.
    - Invite the Member Account to re-join the Organization.
    - Establish control over the email inbox of the Member Account Root User in order to approve the invitation to re-join the Organization.
    - Perform a comprehensive investigation to determine initial compromise and the scope of impacted resources.
    - Create a Service Control Policies (SCP) preventing Member Accounts from leaving the Organization.