AWS_IN_ORGANIZATION

Summary

FSProtect ACL Alias

AWS_IN_ORGANIZATION

Edge Type

Relationship

Affected Object Types

AWS Accounts, AWS Organizations

Exploitation Certainty

Certain

AWS IAM Action / Condition

Relationship visibility via organizations:DescribeOrganization, organizations:ListAccounts

Description

AWS_IN_ORGANIZATION represents that an AWS account is a member of an AWS Organization.

AWS Organizations is a management service that allows grouping multiple AWS accounts under a single management account. The organization provides centralized governance through:

Service Control Policies (SCPs): Permission guardrails applied at the organization, OU, or account level. SCPs define the maximum permissions any identity in a member account can exercise — even if IAM policies in that account would otherwise allow an action, an SCP can deny it.
Organization ID (o-xxxx): Used as a condition value in IAM and resource-based policies via aws:PrincipalOrgID, enabling trust relationships scoped to all accounts within the organization without listing each account individually.
Management account: The account that created the organization. It has full authority to apply SCPs, invite and remove member accounts, and access delegated admin services. Critically, the management account itself is not subject to SCPs — any identity with sufficient IAM permissions in the management account is effectively unrestricted at the organization level.

This edge is not directly exploitable on its own, but it is essential for understanding the full scope of an attack:

Identifying that a compromised account is in an organization reveals whether SCP restrictions may silently block IAM-permitted actions.
Knowing the management account's identity reveals the highest-impact target — compromise of the management account can affect all member accounts.
The aws:PrincipalOrgID condition is frequently used to grant broad cross-account trust to all org members — an attacker with any foothold inside the organization may inherit that trust.

Identification

AWS CLI

Retrieve organization details (requires organizations:DescribeOrganization):

aws organizations describe-organization \
  --query 'Organization.{Id:Id,MasterAccountId:MasterAccountId,MasterAccountEmail:MasterAccountEmail}'

List all accounts in the organization:

aws organizations list-accounts \
  --query 'Accounts[*].{Id:Id,Name:Name,Status:Status,Email:Email}' \
  --output table

List the organizational unit (OU) structure:

# Get root ID first
ROOT_ID=$(aws organizations list-roots --query 'Roots[0].Id' --output text)

# List OUs under root
aws organizations list-organizational-units-for-parent \
  --parent-id $ROOT_ID \
  --query 'OrganizationalUnits[*].{Id:Id,Name:Name}'

Find which OU an account belongs to:

aws organizations list-parents \
  --child-id 123456789012 \
  --query 'Parents[*].{Id:Id,Type:Type}'

List SCPs attached to the organization root (affects all accounts):

aws organizations list-policies-for-target \
  --target-id $ROOT_ID \
  --filter SERVICE_CONTROL_POLICY \
  --query 'Policies[*].{Id:Id,Name:Name}'

AWS Console

Open AWS Organizations (must be in management account or a delegated admin account).
Accounts view shows all member accounts, their IDs, emails, and OU placement.
Policies → Service control policies shows what SCPs are active and at which level they are attached.
The Organization structure tree view shows the OU hierarchy and SCP inheritance at each level.

Exploitation

There is no direct exploit path for this edge. AWS_IN_ORGANIZATION represents a structural membership relationship.

However, this edge is high-value for attack path analysis:

SCP enumeration: If an attacker can call organizations:ListPoliciesForTarget or organizations:DescribePolicy, they can map exactly which actions are blocked by SCPs, avoiding detection from failed API calls.
Management account targeting: The management account is not subject to SCPs. If an attacker can pivot to the management account (via sts:AssumeRole with a trust policy scoped to the management account, or via a service with cross-account access), they can bypass all organizational guardrails.
aws:PrincipalOrgID abuse: If a resource policy uses aws:PrincipalOrgID as the only trust condition, any identity within the organization — including a low-privilege user in a sandbox account — can access that resource.

Mitigation

Restrict access to organizations:* actions to a minimal set of administrative roles in the management account.
Do not use aws:PrincipalOrgID alone as a trust condition for sensitive resources — combine it with account-level or role-level restrictions.
Apply SCPs to the management account's OU (if the management account is placed in an OU) and use detective controls to compensate for the fact that SCPs do not restrict the management account itself.
Enable AWS Config organization-wide to maintain visibility into resource configuration across all member accounts.
Use delegated administrator accounts for services like Security Hub, GuardDuty, and Config rather than performing management tasks directly from the management account.

Detection

Organization membership changes are infrequent but high-impact. Monitor CloudTrail in the management account for:

CreateAccount, InviteAccountToOrganization — new accounts joining the org
RemoveAccountFromOrganization — accounts being removed
AttachPolicy, DetachPolicy — SCP changes that could expand or restrict permissions
CreateOrganizationalUnit, DeleteOrganizationalUnit — structural changes

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventSource,AttributeValue=organizations.amazonaws.com \
  --query 'Events[*].{Time:EventTime,Actor:Username,Event:EventName}' \
  --output table

SCP modification events are especially sensitive — a detached deny-all SCP or a modified guardrail can silently expand permissions across all accounts under an OU.

References

PreviousAWS_IN_GROUP NextGCP

Last updated 6 days ago

Was this helpful?