Attempt to Leave the AWS Organization
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Defense Evasion
Description
Attempts to leave the AWS Organization (unsuccessfully - will hit an AccessDenied error). Security configurations are often defined at the organization level (GuardDuty, SecurityHub, CloudTrail...). Leaving the organization can disrupt or totally shut down these controls.
Warm-up:
- Create an IAM role without permissions to run organizations:LeaveOrganization
Detonation:
- Call organization:LeaveOrganization to simulate an attempt to leave the AWS Organization.
Instructions
Detection
Any attempts from a child account to leave its AWS Organization should be considered suspicious.
Use the CloudTrail event LeaveOrganization
.