Skip to content

Attempt to Leave the AWS Organization

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Defense Evasion

Description

Attempts to leave the AWS Organization (unsuccessfully - will hit an AccessDenied error). Security configurations are often defined at the organization level (GuardDuty, SecurityHub, CloudTrail...). Leaving the organization can disrupt or totally shut down these controls.

Warm-up:

  • Create an IAM role without permissions to run organizations:LeaveOrganization

Detonation:

  • Call organization:LeaveOrganization to simulate an attempt to leave the AWS Organization.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.defense-evasion.organizations-leave

Detection

Any attempts from a child account to leave its AWS Organization should be considered suspicious.

Use the CloudTrail event LeaveOrganization.