VIEW RULE IN DATADOG VIEW MISCONFIGURATIONS

Description

A Service Control Policy (SCP) should deny the organizations:LeaveOrganization action to prevent member accounts from leaving the AWS Organization. Accounts that leave the organization lose all centralized governance controls, including SCPs, consolidated billing, and security guardrails.

This rule also flags SCPs that use NotAction to exempt organizations:LeaveOrganization or organizations:* from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Remediation

Create an SCP that explicitly denies organizations:LeaveOrganization using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt organization actions. Refer to the SCP syntax documentation for guidance.