Skip to content

CreateAccount

AWS

CreateAccount

service: AWS - Organizations
tactics:
techniques:

Event

Creates a new AWS account as a member of an AWS Organization under the management account.

Security Context

  • Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.

Log Source

CloudTrail

Sample Event

Legitimate. Hermione — operating from a session in the management/org-root account 555700070007 (persona doc) with MFA — calls CreateAccount to provision a new sandbox member account for a contractor onboarding (Luna). The request supplies a unique billing email on the corporate domain, a friendly account name, and the default OrganizationAccountAccessRole. The response is the CreateAccountStatus with State: IN_PROGRESS; the actual AccountId is populated later via the asynchronous CreateAccountResult event.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAHERM10NE000ADM1N",
"arn": "arn:aws:iam::555700070007:user/hermione",
"accountId": "555700070007",
"accessKeyId": "AKIAHERM10NEEXAMPLE1",
"userName": "hermione",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T13:42:11Z",
"mfaAuthenticated": "true"
}
}
},
"eventTime": "2026-04-15T16:08:55Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.42",
"userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/organizations.create-account",
"requestParameters": {
"email": "aws-luna-sandbox@fantasticlogs.cloud",
"accountName": "Luna Onboarding Sandbox",
"iamUserAccessToBilling": "DENY",
"roleName": "OrganizationAccountAccessRole"
},
"responseElements": {
"createAccountStatus": {
"id": "car-luna5andboxc04ate0account0re0001",
"accountName": "Luna Onboarding Sandbox",
"state": "IN_PROGRESS",
"requestedTimestamp": "Apr 15, 2026, 4:08:55 PM"
}
},
"requestID": "90000000-0000-4000-8000-000001111110",
"eventID": "90000000-0000-4000-8000-000001111111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555700070007",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "organizations.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.