AWS Account Closed

Last updated 6 days ago on 2026-07-13
Created 6 days ago on 2026-07-13

About

Detects the closure of an AWS account via the CloseAccount API. This can be called either by the account itself (account.amazonaws.com, self-service closure) or by an AWS Organizations management account against one of its member accounts (organizations.amazonaws.com). Account closure triggers a 90-day grace period during which the account is suspended before permanent termination, and is one of the most destructive and disruptive actions available in AWS. It removes access to all resources and data in the account for the duration of the suspension. An adversary with root-level access in a member account, or management-level access to an organization, may close accounts to destroy evidence, disrupt business operations, or eliminate compute and data resources. A malicious insider could use the same action for sabotage.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailUse Case: Threat DetectionTactic: ImpactLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

False Positive Examples
AWS accounts may be legitimately closed as part of organizational restructuring, account consolidation, or decommissioning of workloads. Legitimate closures should always have a corresponding change-management record and documented approval; any closure without one should be treated as a critical incident.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail" and event.action: "CloseAccount" and event.outcome: "success" and event.provider: ("account.amazonaws.com" or "organizations.amazonaws.com")

Install detection rules in Elastic Security

Detect AWS Account Closed in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).