Attempt to Leave the AWS Organization
MITRE ATT&CK Tactics
- Defense Evasion
Attempts to leave the AWS Organization (unsuccessfully - will hit an AccessDenied error). Security configurations are often defined at the organization level (GuardDuty, SecurityHub, CloudTrail...). Leaving the organization can disrupt or totally shut down these controls.
- Create an IAM role without permissions to run organizations:LeaveOrganization
- Call organization:LeaveOrganization to simulate an attempt to leave the AWS Organization.
Any attempts from a child account to leave its AWS Organization should be considered suspicious.
Use the CloudTrail event