An AWS account attempted to leave the AWS Organization

Goal

Detect an AWS account attempting to leave an AWS organization.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the LeaveOrganization API call.

An attacker may attempt this API call for several reasons, such as:

  • Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.
  • Perform a denial of service (DoS) attack on the victim’s account that prevents the victim’s organization to access it.

Triage and response

  1. Determine if {{@userIdentity.arn}} should have made the {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Initiate your company’s incident response (IR) process.
  1. If the API call was made legitimately by the user:
  • Communicate with the user to understand if this was a planned action.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.
  • Initiate your company’s incident response (IR) process.