﻿---
title: AWS Account Closed
description: Detects the closure of an AWS account via the CloseAccount API. This can be called either by the account itself (account.amazonaws.com, self-service closure)...
url: https://www.elastic.co/elastic/docs-builder/docs/3663/reference/security/prebuilt-rules/rules/integrations/aws/impact_aws_account_closed
products:
  - Elastic Security
---

# AWS Account Closed
Detects the closure of an AWS account via the CloseAccount API. This can be called either by the account itself
(account.amazonaws.com, self-service closure) or by an AWS Organizations management account against one of its member
accounts (organizations.amazonaws.com). Account closure triggers a 90-day grace period during which the account is
suspended before permanent termination, and is one of the most destructive and disruptive actions available in AWS. It
removes access to all resources and data in the account for the duration of the suspension. An adversary with root-level
access in a member account, or management-level access to an organization, may close accounts to destroy evidence,
disrupt business operations, or eliminate compute and data resources. A malicious insider could use the same action for
sabotage.
**Rule type**: query
**Rule indices**:
- logs-aws.cloudtrail-*

**Rule Severity**: medium
**Risk Score**: 47
**Runs every**: 
**Searches indices from**: `now-6m`
**Maximum alerts per execution**: 100
**References**:
- [[https://docs.aws.amazon.com/accounts/latest/reference/API_CloseAccount.html](https://docs.aws.amazon.com/accounts/latest/reference/API_CloseAccount.html)](https://docs.aws.amazon.com/accounts/latest/reference/API_CloseAccount.html)
- [[https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html)](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html)
- [[https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html)

**Tags**:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS CloudTrail
- Use Case: Threat Detection
- Tactic: Impact
- Resources: Investigation Guide

**Version**: 1
**Rule authors**:
- Elastic

**Rule license**: Elastic License v2

## Investigation guide


## Triage and analysis


### Investigating AWS Account Closed

AWS account closure is one of the most destructive actions that can be performed against an AWS account. Even during
the 90-day suspension/grace period before permanent termination, the account and its resources are inaccessible. This
action requires either root credentials on the account itself, or organization-management-level permissions to close
a member account, making any unauthorized occurrence a critical security incident.
This rule covers both closure paths: self-service closure (`event.provider: account.amazonaws.com`) and closure of a
member account initiated from the organization's management account (`event.provider: organizations.amazonaws.com`).

#### Possible investigation steps

- **Identify the actor**: review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` to
  determine who initiated the closure, and from which account context (the closed account itself, or the
  organization's management account).
- **Determine which account was closed**: check `cloud.account.id` and `aws.cloudtrail.request_parameters` (the
  organization-initiated path includes the target `AccountId`).
- **Contact the account/organization owner immediately** to confirm intent — this should never be a surprise.
- **Act within the grace period**: AWS Organizations can cancel a pending closure during the up-to-90-day suspension
  window if the action was unauthorized.
- **Review the actor's other activity** immediately before and after the closure for signs of broader compromise
  (credential creation, privilege escalation, log tampering).


### False positive analysis

- Legitimate account decommissioning or consolidation will show the same event. Confirm against change-management
  records and organizational restructuring plans before escalating further.


### Response and remediation

- Contact AWS Support immediately to attempt cancellation/restoration within the grace period.
- Revoke or rotate credentials for the identity that initiated the closure, and escalate to incident response.
- Preserve all available CloudTrail logs and evidence from the affected account before access is lost.
- Review organization-level permissions to ensure `organizations:CloseAccount` and `account:CloseAccount` are
  restricted to a small, trusted set of administrative identities.


## Rule Query

```kuery
data_stream.dataset: "aws.cloudtrail"
    and event.action: "CloseAccount"
    and event.outcome: "success"
    and event.provider: ("account.amazonaws.com" or "organizations.amazonaws.com")
```

**Framework:** MITRE ATT&CK
- Tactic:
  - Name: Impact
- Id: TA0040
- Reference URL: [[https://attack.mitre.org/tactics/TA0040/](https://attack.mitre.org/tactics/TA0040/)](https://attack.mitre.org/tactics/TA0040/)
- Technique:
  - Name: Data Destruction
- Id: T1485
- Reference URL: [[https://attack.mitre.org/techniques/T1485/](https://attack.mitre.org/techniques/T1485/)](https://attack.mitre.org/techniques/T1485/)
- Technique:
  - Name: Account Access Removal
- Id: T1531
- Reference URL: [[https://attack.mitre.org/techniques/T1531/](https://attack.mitre.org/techniques/T1531/)](https://attack.mitre.org/techniques/T1531/)