An AWS account removed itself from the organization
Description
AlphaSOC detected that an AWS account removed itself from the organization using
RemoveAccountFromOrganization
or LeaveOrganization
action. These actions may
indicate an attempt by threat actors to disable security measures and evade
detection. By leaving the organization, the account may bypass centralized
security controls, logging, and monitoring, reducing oversight and increasing
the risk of undetected malicious activity within the environment.
Impact
Leaving the organization reduces visibility into account activity and may result in non-compliance with organizational policies. It creates blind spots in monitoring and logging, enabling adversaries to perform malicious activities without detection. This could potentially lead to data breaches or unauthorized access to resources.
Severity
Severity | Condition |
---|---|
Low | An AWS account removed itself from the organization |
Investigation and Remediation
Review AWS CloudTrail logs to verify whether this action was authorized. If the action was unauthorized and the account was created within the organization, you can try to regain access by using AWS IAM roles (AWS Organizations automatically creates an IAM role in the account that enables access by the organization's management account). Conduct a thorough security assessment to identify other potential signs of compromise or data breaches.