AWS Attempt to Leave Organization

Last updated 6 days ago on 2026-07-13
Created 6 days ago on 2026-07-13

About

Detects any attempt, successful or denied, for a member account to leave an AWS Organization via the LeaveOrganization API. Leaving an organization immediately strips the account of every Service Control Policy (SCP) guardrail the organization enforces, removes it from centralized CloudTrail aggregation, and eliminates the management account's ability to audit or control it going forward. An adversary who has gained root or organization-management-capable access in a member account may use this technique to escape organizational security controls and operate unmonitored. Denied attempts are included because a blocked call is just as strong a signal of intent as a successful one, and is often the only trace left when the account's default permissions correctly prevent the action.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailData Source: AWS OrganizationsUse Case: Threat DetectionTactic: Defense EvasionTactic: ImpactLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Impact (TA0040)(external, opens in a new tab or window)

False Positive Examples
Accounts may legitimately leave an organization during company splits, divestitures, or other structural changes. This action requires the account's root credentials or an explicit policy granting `organizations:LeaveOrganization`. Any unexpected event, successful or denied, should be treated as a critical incident requiring immediate investigation and confirmation with account/organization owners.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail" and event.provider: "organizations.amazonaws.com" and event.action: "LeaveOrganization"

Install detection rules in Elastic Security

Detect AWS Attempt to Leave Organization in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).