{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-account/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS account","AWS Organizations"],"_cs_severities":["critical"],"_cs_tags":["cloud","aws","impact","data-destruction","account-access-removal"],"_cs_type":"threat","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis threat brief details the critical impact of an AWS account closure, which can be initiated by an adversary who gains root credentials to an AWS account or management-level access to an AWS Organizations management account, or by a malicious insider. The \u003ccode\u003eCloseAccount\u003c/code\u003e API call, whether self-service (\u003ccode\u003eaccount.amazonaws.com\u003c/code\u003e) or initiated by an organization's management account (\u003ccode\u003eorganizations.amazonaws.com\u003c/code\u003e), is one of the most destructive and disruptive actions available in AWS. It immediately triggers a 90-day grace period where the account is suspended, rendering all resources and data inaccessible before permanent termination. Attackers can leverage this action to destroy evidence, severely disrupt business operations, or eliminate critical compute and data resources, classifying any unauthorized occurrence as a critical security incident.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary obtains root credentials for a target AWS account or gains management-level administrative access to an AWS Organizations management account.\u003c/li\u003e\n\u003cli\u003eThe adversary executes the \u003ccode\u003eCloseAccount\u003c/code\u003e API call, either directly against the compromised account or against a member account within the organization.\u003c/li\u003e\n\u003cli\u003eThe targeted AWS account immediately enters a 90-day suspension period as a result of the API call.\u003c/li\u003e\n\u003cli\u003eAll access to resources, applications, and data within the suspended account is revoked, preventing legitimate users from operating.\u003c/li\u003e\n\u003cli\u003eDuring the suspension, the adversary may achieve objectives such as destroying evidence of compromise or creating maximum business disruption.\u003c/li\u003e\n\u003cli\u003eIf no intervention occurs, the AWS account is permanently terminated after the 90-day grace period, leading to irreversible loss of all data and infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthorized AWS account closure is a critical incident leading to immediate and severe consequences. Upon closure, all resources and data within the account become inaccessible for a 90-day suspension period, effectively crippling business operations that rely on the affected AWS environment. This can result in significant data loss, prolonged service outages, reputational damage, and financial costs associated with recovery or rebuilding infrastructure. The impact is pervasive, affecting all sectors and potentially leading to permanent data destruction if the account is not restored within the grace period.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule in this brief to your SIEM to detect \u003ccode\u003eCloseAccount\u003c/code\u003e API calls made via AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.user_identity.type\u003c/code\u003e fields in CloudTrail logs to identify the actor initiating account closure.\u003c/li\u003e\n\u003cli\u003eContact AWS Support immediately if an unauthorized account closure is detected to attempt cancellation/restoration within the 90-day grace period.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003eorganizations:CloseAccount\u003c/code\u003e and \u003ccode\u003eaccount:CloseAccount\u003c/code\u003e permissions to a minimal set of trusted administrative identities to reduce attack surface.\u003c/li\u003e\n\u003cli\u003eImplement robust change management processes to ensure all legitimate AWS account closures have corresponding records and approvals, serving as a filter for the \u003ccode\u003efalsepositives\u003c/code\u003e of the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T07:26:01Z","date_published":"2026-07-17T07:26:01Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-account-closed/","summary":"Adversaries or malicious insiders may close an AWS account using the `CloseAccount` API, a highly destructive action that suspends all access for 90 days before permanent termination, leading to data destruction and significant business disruption.","title":"AWS Account Closure Detected","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-account-closed/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Account","version":"https://jsonfeed.org/version/1.1"}