---
title: SCP should prevent accounts from leaving the organization
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > SCP should prevent accounts from
  leaving the organization
---

# SCP should prevent accounts from leaving the organization
 
## Description{% #description %}

A Service Control Policy (SCP) should deny the `organizations:LeaveOrganization` action to prevent member accounts from leaving the AWS Organization. Accounts that leave the organization lose all centralized governance controls, including SCPs, consolidated billing, and security guardrails.

This rule also flags SCPs that use `NotAction` to exempt `organizations:LeaveOrganization` or `organizations:*` from a deny statement. A `NotAction`-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

## Remediation{% #remediation %}

Create an SCP that explicitly denies `organizations:LeaveOrganization` using `Action` (not `NotAction`) and attach it to the organization root. Remove any `NotAction`-based deny statements that exempt organization actions. Refer to the [SCP syntax documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html) for guidance.