Skip to content

RemoveAccountFromOrganization

AWS

RemoveAccountFromOrganization

service: AWS - Organizations
techniques:

Event

Removes an AWS account from the organization, stripping it of SCP protections and centralized security controls.

Security Context

  • Removing an account from an AWS Organization immediately strips all Service Control Policies, disabling centralized guardrails and allowing unrestricted API access within the account.
  • Adversaries with organization-level access remove accounts to operate without SCP restrictions, enabling actions that were previously denied such as disabling CloudTrail or creating public resources.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — having moved laterally to the org-management account 555700070007 via a chained AssumeRole into OrgAccessRole — calls RemoveAccountFromOrganization on the production account 555123456789, severing it from SCP enforcement. Once removed, the account can no longer be governed by SCPs (which were previously denying actions like cloudtrail:StopLogging), and Draco’s subsequent activity in 555123456789 runs without org-level guardrails.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA0RGACCESS0RG007:draco-org-session",
"arn": "arn:aws:sts::555700070007:assumed-role/OrgAccessRole/draco-org-session",
"accountId": "555700070007",
"accessKeyId": "ASIA0RGACCESSEXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA0RGACCESS0RG007",
"arn": "arn:aws:iam::555700070007:role/OrgAccessRole",
"accountId": "555700070007",
"userName": "OrgAccessRole"
},
"attributes": {
"creationDate": "2026-04-15T19:42:51Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:46:18Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "RemoveAccountFromOrganization",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"accountId": "555123456789"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000110011100",
"eventID": "90000000-0000-4000-8000-000110011101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555700070007",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "organizations.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...