
Summary
This rule detects AWS account closures initiated via the CloseAccount API, covering both self-service closures (event.provider: account.amazonaws.com) and closures initiated by an AWS Organizations management account (event.provider: organizations.amazonaws.com) against member accounts. Account closure triggers a 90-day suspension window during which the account and resources are inaccessible; the operation requires highly privileged access and can be exploited to destroy evidence, disrupt operations, or eliminate resources. The detection focuses on successful CloseAccount events from CloudTrail, ensuring the action came from the appropriate provider, and correlates relevant context to identify the target account and actor. The rule uses CloudTrail event fields such as aws.cloudtrail.user_identity.arn/type, cloud.account.id, aws.cloudtrail.request_parameters (target AccountId for organization-initiated closures), event.action, and event.outcome to surface security-relevant closures. It supports rapid triage with investigation fields including user identity, source IP, user agent, and region. The rule is aligned with MITRE ATT&CK techniques Data Destruction (T1485) and Account Access Removal (T1531) under the Impact tactic (TA0040). The risk score is 47 with a medium severity, reflecting the high impact of account closure and potential for abuse by insiders or attackers. False positives include legitimate organizational closures and decommissioning that should have change-management approvals. Recommended response includes attempting cancellation within the 90-day window, revoking credentials, rotating access keys, and restricting organization-level permissions (organizations:CloseAccount) and account:CloseAccount to trusted admins. Preserve CloudTrail logs for evidence and conduct broader activity review around the closure window to detect credential compromise or privilege escalation.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
ATT&CK Techniques
- T1485
- T1531
Created: 2026-07-13