Back

Unauthorized Account Removals from AWS Organizations Exploited by Threat Actors

Severity: High (Score: 69.0)

Sources: aws-samples.github.io, Aws.Amazon

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: organization, help, account, team, t1666, a002, leave

Summary

Threat actors are exploiting AWS Organizations by using compromised credentials to remove accounts from organizations. This tactic allows them to bypass Service Control Policies (SCPs) and gain unrestricted access to resources. The attack begins with the use of the organizations:LeaveOrganization permission, which enables the removal of a member account from the organization. Once removed, the account loses the protections and visibility provided by the organization, including billing alerts and CloudTrail logging. This can lead to significant data exposure and operational risks for affected organizations. The AWS Customer Incident Response Team has identified this trend and recommends implementing SCPs to deny the organizations:LeaveOrganization action as a preventive measure. Organizations are urged to investigate any unexpected LeaveOrganization API calls in their CloudTrail logs. Key Points: • Threat actors exploit AWS Organizations by removing accounts to bypass security controls. • The attack leverages the organizations:LeaveOrganization permission to gain unrestricted access. • Implementing Service Control Policies can help prevent unauthorized account removals.

Detailed Analysis

**Impact** Organizations using AWS Organizations with multiple member accounts are affected, particularly those relying on Service Control Policies (SCPs) for governance and consolidated billing for cost monitoring. Unauthorized removal of accounts results in loss of centralized visibility, control, and security monitoring, increasing risk of undetected malicious activity and potential data exposure. The impact spans all sectors using AWS cloud services globally, with no specific geographic or sectoral data provided. **Technical Details** Threat actors leverage compromised credentials with the organizations:LeaveOrganization permission to call the LeaveOrganizations API, removing member accounts from the AWS Organization. This action disables inherited SCPs, consolidated billing, centralized CloudTrail logging, and GuardDuty findings, effectively isolating the account from organizational controls. No CVEs or malware are involved; the technique exploits permission misconfigurations and design weaknesses. Relevant CloudTrail events include organizations:AcceptHandshake and organizations:LeaveOrganization, which should be monitored for suspicious activity. **Recommended Response** Implement an SCP explicitly denying the organizations:LeaveOrganization action to prevent unauthorized account removals. Enforce the principle of least privilege by restricting IAM permissions related to organization management, including iam:AttachRolePolicy, iam:AttachUserPolicy, iam:PutRolePolicy, and sts:AssumeRole. Monitor CloudTrail for LeaveOrganization and AcceptHandshake API calls and investigate any unapproved occurrences. Regularly audit IAM policies for overly broad permissions and ensure centralized logging and security monitoring remain intact.

Source articles (6)

  • T1666.A002: Leave AWS Organization — aws-samples.github.io · 2026-05-19
    AWS Specific Content A prerequisite for this technique is that a threat actor has already gained access to the Management account within in AWS Organization as well as control of an AWS identity with…
  • T1562.008: Disable Cloud Logs — aws-samples.github.io · 2026-05-19
    MITRE ATT&CK Content An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow fo…
  • T1078.004: Cloud Accounts — aws-samples.github.io · 2026-05-19
  • T1078.A002: Account Root User — aws-samples.github.io · 2026-05-19
    AWS Specific Content A prerequisite for this technique is that a threat actor has already gained control of an AWS account root user. This technique identifies when a threat actor uses the root user t…
  • T1098: Account Manipulation — aws-samples.github.io · 2026-05-19
    MITRE ATT&CK Content Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access…
  • CIRT insights: How to help prevent unauthorized account removals from AWS Organizations — Aws.Amazon · 2026-05-19
    The AWS Customer Incident Response Team works with customers to help them recover from active security incidents. As part of this work, the team often uncovers new or trending tactics used by various…

Timeline

  • 2026-05-19 — AWS CIRT reports on account removal tactic: AWS Customer Incident Response Team highlights a new threat where accounts are removed from AWS Organizations, compromising security.
  • 2026-05-19 — Threat technique catalog entry created: A new entry in the AWS threat technique catalog details the Leave AWS Organization tactic used by threat actors.

Related entities

  • CWE-269 - Improper Privilege Management (Cwe)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1098 - Account Manipulation (Mitre Attack)
  • T1562.008 - Disable Or Modify Cloud Logs (Mitre Attack)
  • Amazon GuardDuty (Platform)
  • AWS CloudTrail (Platform)
  • AWS Organizations (Platform)
  • IAM (Platform)
  • Office 365 (Platform)
  • CloudTrail (Platform)
  • AWS (Company)
  • SCP (Tool)
  • CloudWatch (Tool)
  • Set-MailboxAuditBypassAssociation (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed