
Summary
Detects when an AWS member account makes any attempt to leave its AWS Organization via the LeaveOrganization API, regardless of outcome. Leaving the organization removes all SCP guardrails, disconnects centralized CloudTrail aggregation, and prevents further auditing by the management account. The rule flags both successful leaves and denied attempts (e.g., AccessDenied) since a blocked action still indicates malicious intent or misused credentials. Investigation should focus on who made the call (aws.cloudtrail.user_identity.arn and type), the outcome, and the context of the request (source IP, user agent, geo). Correlation with recent IAM changes, root login activity, or other attempts to bypass organizational controls is advised. Valid legitimate departures can occur during restructurings, divestitures, or reorganization; confirm with administrators and ensure change-management processes were followed before treating as a security incident. If a leave is successful and unauthorized, re-invite the account to the organization and assess the compromise posture; if denied, determine how the actor obtained the permissions to attempt the action and whether privilege escalation is occurring. Remediation includes credential rotation, revoking the identity’s access, and broader post-event monitoring for related activity. The detection aligns with MITRE ATT&CK techniques: T1562 (Impair Defenses) and T1531 (Account Access Removal), mapping to Defense Evasion and Impact. Operationally, the rule targets CloudTrail logs from the AWS Organizations LeaveOrganization event stream to surface anomalous attempts against organizational guardrails.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
ATT&CK Techniques
- T1562
- T1562.001
- T1531
Created: 2026-07-13