I tried implementing the equivalent settings of the default leave-prevention SCP applied in AWS Organizations to an existing organization
This page has been translated by machine translation. View original
Introduction
On July 10, 2026, an update was announced where AWS Organizations will automatically apply an SCP to prevent account departure by default for new organizations created from the console.
The changes introduced by this update are as follows.
| Item | Before | This Update |
|---|---|---|
| When creating a new organization via console | No automatic SCP application | SCP denying organizations:LeaveOrganization and account:CloseAccount is automatically applied to the root |
| Target | — | New creations via console only (CLI/SDK/CloudFormation are not applicable) |
| Impact on existing organizations | — | None (only new console creations on or after June 30, 2026) |
| Modification/Disabling | — | Users can do so at any time |
The content of the automatically applied SCP is as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeaveOrganizationAndCloseAccount",
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization",
"account:CloseAccount"
],
"Resource": "*"
}
]
}
The regions listed in the What's New include US East (N. Virginia), AWS GovCloud (US-East / US-West), and China (Beijing / Ningxia). Since the Organizations API endpoint is us-east-1, you do not need to be aware of regions for normal use in the commercial partition.
In this article, we will manually apply the equivalent of this SCP to an existing Organization and verify that departure from member accounts is denied.
Verification Details
Verification Environment
| Item | Value |
|---|---|
| Management Account | 111122223333 |
| Member Account | 444455556666 |
| Organization ID | o-exampleorgid |
| Root ID | r-exrt |
| Region | us-east-1 |
Creating the SCP
From the management account, create an SCP with the same content as the one applied by default.
aws organizations create-policy \
--name DenyLeaveOrganizationAndCloseAccount \
--description "Deny member accounts from leaving the organization or closing themselves" \
--type SERVICE_CONTROL_POLICY \
--content '{"Version":"2012-10-17","Statement":[{"Sid":"DenyLeaveOrganizationAndCloseAccount","Effect":"Deny","Action":["organizations:LeaveOrganization","account:CloseAccount"],"Resource":"*"}]}' \
--region us-east-1
The policy was created.
{
"Policy": {
"PolicySummary": {
"Id": "p-examplepolicy",
"Arn": "arn:aws:organizations::111122223333:policy/o-exampleorgid/service_control_policy/p-examplepolicy",
"Name": "DenyLeaveOrganizationAndCloseAccount",
"Description": "Deny member accounts from leaving the organization or closing themselves",
"Type": "SERVICE_CONTROL_POLICY",
"AwsManaged": false
}
}
}
Attaching to the Root
Attach the created SCP to the root of the Organization.
aws organizations attach-policy \
--policy-id p-examplepolicy \
--target-id r-exrt \
--region us-east-1
Completed successfully (no output).
Attempting to Leave from a Member Account
Switch to the member account (444455556666) via AssumeRole and execute leave-organization.
aws sts assume-role \
--role-arn arn:aws:iam::444455556666:role/OrganizationAccountAccessRole \
--role-session-name scp-verification \
--region us-east-1
Using the obtained credentials, attempt to leave the organization.
aws organizations leave-organization --region us-east-1
The request was denied with the following error.
An error occurred (AccessDeniedException) when calling the LeaveOrganization operation: You don't have permissions to access this resource.
The OrganizationAccountAccessRole used for verification has permissions equivalent to AdministratorAccess, so this is not a permissions shortage due to an IAM policy. This error is caused by the explicit Deny of the SCP attached to the root, and we were able to confirm that the member account cannot leave the organization.
Cleanup
Now that verification is complete, detach and delete the SCP.
aws organizations detach-policy \
--policy-id p-examplepolicy \
--target-id r-exrt \
--region us-east-1
aws organizations delete-policy \
--policy-id p-examplepolicy \
--region us-east-1
Both completed successfully.
Summary
With this update, the SCP that denies member account departure and closure is now enabled by default in Organizations newly created from the console. Since it is not automatically applied to organizations created via CLI or SDK, or to existing Organizations, you can apply equivalent controls by manually creating the same SCP and attaching it to the root.
In the verification in this article, we executed organizations:LeaveOrganization from a role with permissions equivalent to AdministratorAccess and confirmed that it is denied by the SCP's explicit Deny. Note that the same SCP definition also includes a denial of account:CloseAccount, but verifying the behavior of the account closure operation is outside the scope of this article's verification.
The SCP attachment limit was expanded from 5 to 10 in May 2026, providing more room to apply additional SCPs. We recommend maintaining the default application for new Organizations and applying equivalent settings to existing Organizations where quota permits.
Reference Links

