AWS Suspect Organization Exit

Triggers

• An AWS control-plane API was invoked in an attempt to leave the AWS Organization in which the target account is a member.

Possible Root Causes

• An attacker is attempting to leave the AWS organization in which the target account is a member. This is done in order to evade restrictions and disrupt logging visibility.
• An administrator or automated task is performing authorized account migration activities.

Business Impact

• An attacker who is able to hinder the defenses of their victim also has the ability to evade detection.
• If an attacker is able to successfully remove a targeted AWS account from its AWS Organization:
  - Guardrails such as Service Control Policies (SCP) will be lifted leading to an increased risk of malicious activity in the account.
  - Logging may be interrupted and as a result there would be at an increased risk of malicious activity in the account going unnoticed.

Steps to Verify

• Investigate the Principal which performed the actions for other signs of malicious activity. • Review security policy to determine if the removing the Member Account from the Organization is allowed.
• If review indicates possible malicious actions or high-risk modifications:
  - Disable credentials associated with this alert.
  - Invite the Member Account to re-join the Organization.
  - Establish control over the email inbox of the Member Account Root User in order to approve the invitation to re-join the Organization.
  - Perform a comprehensive investigation to determine initial compromise and the scope of impacted resources.
  - Create a Service Control Policies (SCP) preventing Member Accounts from leaving the Organization.