Skip to content

Attempt to Leave the AWS Organization

Platform: AWS


  • Defense Evasion


Attempts to leave the AWS Organization. Since the execution users are not granted this permission, the attempt will fail and result in an AccessDenied error.

Attacker Actions:

  • Attempts to leave an AWS Organization.
  • Resulting event name: LeaveOrganization
  • Assigned IAM Permission: organizations:LeaveOrganization

Workflow Inputs:

Specify which user this attack should run as.


Clean Up:

  • Recreates the CloudTrail trail.
  • Executed as the DeRF Default User

Execution Instructions

  • See User Guide for Execution Instructions via the Google Cloud Console
  • Programmatically execute this workflow with the following cli command:
gcloud workflows run aws-delete-cloudtrail-trail `--data={"user": "user01"}` 

Detection Artifacts

Any attempts from a child account to leave its AWS Organization should be considered suspicious as leaving the organization can remove security controls enforced from the Organizational Management Account