RemoveAccountFromOrganization
Event
Removes an AWS account from the organization, stripping it of SCP protections and centralized security controls.
Security Context
- Removing an account from an AWS Organization immediately strips all Service Control Policies, disabling centralized guardrails and allowing unrestricted API access within the account.
- Adversaries with organization-level access remove accounts to operate without SCP restrictions, enabling actions that were previously denied such as disabling CloudTrail or creating public resources.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...