Skip to main content

An AWS account removed itself from the organization

ID:aws_account_left_organization
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected that an AWS account removed itself from the organization using RemoveAccountFromOrganization or LeaveOrganization action. These actions may indicate an attempt by threat actors to disable security measures and evade detection. By leaving the organization, the account may bypass centralized security controls, logging, and monitoring, reducing oversight and increasing the risk of undetected malicious activity within the environment.

Impact

Leaving the organization reduces visibility into account activity and may result in non-compliance with organizational policies. It creates blind spots in monitoring and logging, enabling adversaries to perform malicious activities without detection. This could potentially lead to data breaches or unauthorized access to resources.

Severity

SeverityCondition
Low
An AWS account removed itself from the organization

Investigation and Remediation

Review AWS CloudTrail logs to verify whether this action was authorized. If the action was unauthorized and the account was created within the organization, you can try to regain access by using AWS IAM roles (AWS Organizations automatically creates an IAM role in the account that enables access by the organization's management account). Conduct a thorough security assessment to identify other potential signs of compromise or data breaches.