SCP should prevent accounts from leaving the organization

Docs > Datadog Security > OOTB Rules > SCP should prevent accounts from leaving the organization

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

A Service Control Policy (SCP) should deny the organizations:LeaveOrganization action to prevent member accounts from leaving the AWS Organization. Accounts that leave the organization lose all centralized governance controls, including SCPs, consolidated billing, and security guardrails.

This rule also flags SCPs that use NotAction to exempt organizations:LeaveOrganization or organizations:* from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Remediation

Create an SCP that explicitly denies organizations:LeaveOrganization using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt organization actions. Refer to the SCP syntax documentation for guidance.

SCP should prevent accounts from leaving the organization

Description

Remediation

How can I help you today?