Triggers
- An AWS control-plane API was invoked in an attempt to leave the AWS Organization in which the target account is a member.
Possible Root Causes
- An attacker is attempting to leave the AWS organization in which the target account is a member. This is done in order to evade restrictions and disrupt logging visibility.
- An administrator or automated task is performing authorized account migration activities.
Business Impact
- An attacker who is able to hinder the defenses of their victim also has the ability to evade detection.
- If an attacker is able to successfully remove a targeted AWS account from its AWS Organization:
- Guardrails such as Service Control Policies (SCP) will be lifted leading to an increased risk of malicious activity in the account.
- Logging may be interrupted and as a result there would be at an increased risk of malicious activity in the account going unnoticed.
Steps to Verify
- Investigate the Principal which performed the actions for other signs of malicious activity. • Review security policy to determine if the removing the Member Account from the Organization is allowed.
- If review indicates possible malicious actions or high-risk modifications:
- Disable credentials associated with this alert.
- Invite the Member Account to re-join the Organization.
- Establish control over the email inbox of the Member Account Root User in order to approve the invitation to re-join the Organization.
- Perform a comprehensive investigation to determine initial compromise and the scope of impacted resources.
- Create a Service Control Policies (SCP) preventing Member Accounts from leaving the Organization.