LeaveOrganization
AWS
LeaveOrganization
Event
Removes the current member account from its AWS Organization; the management account cannot leave.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — having compromised credentials with organizations:LeaveOrganization permissions inside the production member account 555123456789 — calls LeaveOrganization to detach the prod account from the central AWS Org. After this, Service Control Policies (SCPs), centralised CloudTrail, and Org-level GuardDuty all stop applying — a comprehensive defense-impairment move that often presages destructive operations. T1685. (Note: the management/master account cannot leave its own org; this is only callable from a member account.)
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:18:54Z", "eventSource": "organizations.amazonaws.com", "eventName": "LeaveOrganization", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": null, "responseElements": null, "requestID": "90000000-0000-4000-8000-000101001110", "eventID": "90000000-0000-4000-8000-000101001111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "organizations.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...