RemoveAccountFromOrganization
AWS
RemoveAccountFromOrganization
Event
Removes an AWS account from the organization, stripping it of SCP protections and centralized security controls.
Security Context
- Removing an account from an AWS Organization immediately strips all Service Control Policies, disabling centralized guardrails and allowing unrestricted API access within the account.
- Adversaries with organization-level access remove accounts to operate without SCP restrictions, enabling actions that were previously denied such as disabling CloudTrail or creating public resources.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — having moved laterally to the org-management account 555700070007 via a chained AssumeRole into OrgAccessRole — calls RemoveAccountFromOrganization on the production account 555123456789, severing it from SCP enforcement. Once removed, the account can no longer be governed by SCPs (which were previously denying actions like cloudtrail:StopLogging), and Draco’s subsequent activity in 555123456789 runs without org-level guardrails.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA0RGACCESS0RG007:draco-org-session", "arn": "arn:aws:sts::555700070007:assumed-role/OrgAccessRole/draco-org-session", "accountId": "555700070007", "accessKeyId": "ASIA0RGACCESSEXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA0RGACCESS0RG007", "arn": "arn:aws:iam::555700070007:role/OrgAccessRole", "accountId": "555700070007", "userName": "OrgAccessRole" }, "attributes": { "creationDate": "2026-04-15T19:42:51Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:46:18Z", "eventSource": "organizations.amazonaws.com", "eventName": "RemoveAccountFromOrganization", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "accountId": "555123456789" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000110011100", "eventID": "90000000-0000-4000-8000-000110011101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555700070007", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "organizations.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...