CIRT insights: How to help prevent unauthorized account removals from AWS Organizations

This AWS Customer Incident Response Team advisory describes a tactic where threat actors leverage the organizations:LeaveOrganization permission/API to remove a member account from an AWS Organization, which eliminates inherited guardrails (SCPs), centralized logging and detection (CloudTrail, GuardDuty), and consolidated billing—reducing visibility and hampering incident response; the report outlines associated CloudTrail events to detect the activity and recommends mitigations such as a DenyLeaveOrganization SCP, least-privilege IAM, MFA on root, and centralized root access management.