CreateAccount
AWS
CreateAccount
Event
Creates a new AWS account as a member of an AWS Organization under the management account.
Security Context
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
Log Source
CloudTrail
Sample Event
Legitimate. Hermione — operating from a session in the management/org-root account 555700070007 (persona doc) with MFA — calls CreateAccount to provision a new sandbox member account for a contractor onboarding (Luna). The request supplies a unique billing email on the corporate domain, a friendly account name, and the default OrganizationAccountAccessRole. The response is the CreateAccountStatus with State: IN_PROGRESS; the actual AccountId is populated later via the asynchronous CreateAccountResult event.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDAHERM10NE000ADM1N", "arn": "arn:aws:iam::555700070007:user/hermione", "accountId": "555700070007", "accessKeyId": "AKIAHERM10NEEXAMPLE1", "userName": "hermione", "sessionContext": { "attributes": { "creationDate": "2026-04-15T13:42:11Z", "mfaAuthenticated": "true" } } }, "eventTime": "2026-04-15T16:08:55Z", "eventSource": "organizations.amazonaws.com", "eventName": "CreateAccount", "awsRegion": "us-east-1", "sourceIPAddress": "198.51.100.42", "userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/organizations.create-account", "requestParameters": { "email": "aws-luna-sandbox@fantasticlogs.cloud", "accountName": "Luna Onboarding Sandbox", "iamUserAccessToBilling": "DENY", "roleName": "OrganizationAccountAccessRole" }, "responseElements": { "createAccountStatus": { "id": "car-luna5andboxc04ate0account0re0001", "accountName": "Luna Onboarding Sandbox", "state": "IN_PROGRESS", "requestedTimestamp": "Apr 15, 2026, 4:08:55 PM" } }, "requestID": "90000000-0000-4000-8000-000001111110", "eventID": "90000000-0000-4000-8000-000001111111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555700070007", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "organizations.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.