CIRT insights: How to help prevent unauthorized account removals from AWS Organizations
Security Blog
This article describes a threat tactic where attackers remove AWS accounts from AWS Organizations to bypass security controls and monitoring.
- Threat actors use `organizations:LeaveOrganization` permission to remove compromised accounts from organizations
- Removed accounts lose SCPs, consolidated billing alerts, CloudTrail organization trails, and GuardDuty visibility
- Organizations lose visibility into accounts still containing organizational resources
- CloudTrail logs `LeaveOrganization` and `AcceptHandshake` API calls when accounts depart
- Implement SCP denying `organizations:LeaveOrganization` action as primary prevention
- Apply least privilege IAM permissions to limit unauthorized permission escalation paths
- Enable MFA on root users, delete root access keys, implement centralized root access management
AWS CIRT recommends immediately implementing the `DenyLeaveOrganizationSCP` policy as the highest-impact, lowest-effort control against this emerging threat technique.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Mar 17
2026
2026
Essential security controls to prevent unauthorized account removal in AWS Organizations
Jul 31
2024
2024
Protect your AWS resources from unauthorized access using AWS Organizations integrations
Jun 13
2025
2025
AWS CIRT announces the launch of the Threat Technique Catalog for AWS
Nov 13
2025
2025
Securely accessing external accounts with AWS IAM Identity Center
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.