SCP should prevent accounts from leaving the organization

문서 > Datadog 보안 > OOTB Rules > SCP should prevent accounts from leaving the organization

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

A Service Control Policy (SCP) should deny the organizations:LeaveOrganization action to prevent member accounts from leaving the AWS Organization. Accounts that leave the organization lose all centralized governance controls, including SCPs, consolidated billing, and security guardrails.

This rule also flags SCPs that use NotAction to exempt organizations:LeaveOrganization or organizations:* from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Remediation

Create an SCP that explicitly denies organizations:LeaveOrganization using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt organization actions. Refer to the SCP syntax documentation for guidance.

SCP should prevent accounts from leaving the organization

Description

Remediation

How can I help you today?