I tried implementing the equivalent settings of the default leave-prevention SCP applied in AWS Organizations to an existing organization

I tried implementing the equivalent settings of the default leave-prevention SCP applied in AWS Organizations to an existing organization

AWS Organizations now automatically applies an SCP that denies member account leaving and closing to organizations newly created from the console. Since organizations created via CLI/SDK or existing organizations are not subject to this, I manually created and attached the same SCP and confirmed that organization leaving is denied.
2026.07.11

This page has been translated by machine translation. View original

Introduction

On July 10, 2026, an update was announced where AWS Organizations will automatically apply an SCP to prevent account departure by default for new organizations created from the console.

https://aws.amazon.com/about-aws/whats-new/2026/07/aws-organizations-security-controls-new-orgs-console

The changes introduced by this update are as follows.

Item Before This Update
When creating a new organization via console No automatic SCP application SCP denying organizations:LeaveOrganization and account:CloseAccount is automatically applied to the root
Target New creations via console only (CLI/SDK/CloudFormation are not applicable)
Impact on existing organizations None (only new console creations on or after June 30, 2026)
Modification/Disabling Users can do so at any time

The content of the automatically applied SCP is as follows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyLeaveOrganizationAndCloseAccount",
            "Effect": "Deny",
            "Action": [
                "organizations:LeaveOrganization",
                "account:CloseAccount"
            ],
            "Resource": "*"
        }
    ]
}

The regions listed in the What's New include US East (N. Virginia), AWS GovCloud (US-East / US-West), and China (Beijing / Ningxia). Since the Organizations API endpoint is us-east-1, you do not need to be aware of regions for normal use in the commercial partition.

In this article, we will manually apply the equivalent of this SCP to an existing Organization and verify that departure from member accounts is denied.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_default_controls.html

Verification Details

Verification Environment

Item Value
Management Account 111122223333
Member Account 444455556666
Organization ID o-exampleorgid
Root ID r-exrt
Region us-east-1

Creating the SCP

From the management account, create an SCP with the same content as the one applied by default.

aws organizations create-policy \
    --name DenyLeaveOrganizationAndCloseAccount \
    --description "Deny member accounts from leaving the organization or closing themselves" \
    --type SERVICE_CONTROL_POLICY \
    --content '{"Version":"2012-10-17","Statement":[{"Sid":"DenyLeaveOrganizationAndCloseAccount","Effect":"Deny","Action":["organizations:LeaveOrganization","account:CloseAccount"],"Resource":"*"}]}' \
    --region us-east-1

The policy was created.

{
    "Policy": {
        "PolicySummary": {
            "Id": "p-examplepolicy",
            "Arn": "arn:aws:organizations::111122223333:policy/o-exampleorgid/service_control_policy/p-examplepolicy",
            "Name": "DenyLeaveOrganizationAndCloseAccount",
            "Description": "Deny member accounts from leaving the organization or closing themselves",
            "Type": "SERVICE_CONTROL_POLICY",
            "AwsManaged": false
        }
    }
}

Attaching to the Root

Attach the created SCP to the root of the Organization.

aws organizations attach-policy \
    --policy-id p-examplepolicy \
    --target-id r-exrt \
    --region us-east-1

Completed successfully (no output).

Attempting to Leave from a Member Account

Switch to the member account (444455556666) via AssumeRole and execute leave-organization.

aws sts assume-role \
    --role-arn arn:aws:iam::444455556666:role/OrganizationAccountAccessRole \
    --role-session-name scp-verification \
    --region us-east-1

Using the obtained credentials, attempt to leave the organization.

aws organizations leave-organization --region us-east-1

The request was denied with the following error.

An error occurred (AccessDeniedException) when calling the LeaveOrganization operation: You don't have permissions to access this resource.

The OrganizationAccountAccessRole used for verification has permissions equivalent to AdministratorAccess, so this is not a permissions shortage due to an IAM policy. This error is caused by the explicit Deny of the SCP attached to the root, and we were able to confirm that the member account cannot leave the organization.

Cleanup

Now that verification is complete, detach and delete the SCP.

aws organizations detach-policy \
    --policy-id p-examplepolicy \
    --target-id r-exrt \
    --region us-east-1

aws organizations delete-policy \
    --policy-id p-examplepolicy \
    --region us-east-1

Both completed successfully.

Summary

With this update, the SCP that denies member account departure and closure is now enabled by default in Organizations newly created from the console. Since it is not automatically applied to organizations created via CLI or SDK, or to existing Organizations, you can apply equivalent controls by manually creating the same SCP and attaching it to the root.

In the verification in this article, we executed organizations:LeaveOrganization from a role with permissions equivalent to AdministratorAccess and confirmed that it is denied by the SCP's explicit Deny. Note that the same SCP definition also includes a denial of account:CloseAccount, but verifying the behavior of the account closure operation is outside the scope of this article's verification.

The SCP attachment limit was expanded from 5 to 10 in May 2026, providing more room to apply additional SCPs. We recommend maintaining the default application for new Organizations and applying equivalent settings to existing Organizations where quota permits.

https://dev.classmethod.jp/articles/aws-organizations-scp-quota-increase-2026/

https://dev.classmethod.jp/articles/aws-organizations-scp-quota-10-per-entity/

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html


そのマルチアカウント運用、気合いで支えていませんか

Organizations や Control Tower で土台は作れても、アカウントもポリシーも増えるほど、運用は「詳しい一人」に寄りかかっていく。属人化が限界を迎える前に、組織として回す仕組み=CCoEへ。5,600社の支援から得た立ち上げの型を、無料資料にまとめました。

CCoE総合支援

組織で回す仕組みの資料をもらう

Share this article

AWSのお困り事はクラスメソッドへ