2026-05-21 · aws-security
AWS Security published guidance on a tactic where threat actors use access inside a compromised account to remove it from AWS Organizations. That can strip away guardrails that normally help contain damage and preserve oversight. The post is a reminder that account-level compromise is not just about stolen data. It can also become a control-plane attack that undermines recovery, monitoring, and governance.
AWS CIRT described a tactic in which attackers use permissions like organizations:LeaveOrganization to push a member account out of an organization. The post frames this as an abuse of configuration and identity, not a service vulnerability. The guidance is aimed at helping defenders spot the pattern and harden their organizational controls.
If an attacker can remove an account from centralized controls, incident response gets harder fast. Logs, policy enforcement, and containment workflows can all become fragmented at the moment they are needed most. That kind of drift increases the odds of lasting data loss, unauthorized spending, and slower recovery.
Cold storage keeps critical backups and recovery material outside the live control plane, so a compromised account cannot easily destroy everything at once. Offline copies also give responders a clean source of truth if cloud-side governance is tampered with. For high-value environments, isolated backups and separate recovery credentials are the difference between disruption and full rebuild.
Read Original Post →