more details needed about terminated AWS account

Question

I want to know who closed my account but it is post 90 days of closure now, and seems to be terminated. However, I would like to know when the acccount was first closed and who closed it as it comes under organization.

Answer

Hi,
 CloudTrail captures [all API calls for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration) as events, including `CloseAccount`, with the following user identity information in the log entry:
* Whether the request was made with root user or IAM user credentials
* Whether the request was made with temporary security credentials for an IAM role or a federated user
* Whether the request was made by another AWS service

However,  CloudTrail will only show the results of the CloudTrail Event History [for the last 90 days](https://aws.amazon.com/cloudtrail/faqs/?nc1=h_ls), so you must have configured a CloudTrail trail to enable continuous delivery of CloudTrail events to an Amazon S3 bucket, or you won't be able to see them. Did you already have it configured?

If so, then you can use [Amazon Athena to query data in S3](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html). This is an example of `CloseAccount` log entry, extracted from the [AWS documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration), which can serve as a reference.

```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
        "arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AIDAMVNPBQA3EXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/my-admin-role",
                "accountId": "111122223333",
                "userName": "my-session-id"
            },
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2022-03-18T18:17:06Z"
            }
        }
    },
    "eventTime": "2022-03-18T18:17:06Z",
    "eventSource": "organizations.amazonaws.com",
    "eventName": "CloseAccount",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.168.0.1",
    "userAgent":  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
    "requestParameters": {
        "accountId": "555555555555"
    },
    "responseElements": null,
    "requestID": "e28932f8-d5da-4d7a-8238-ef74f3d5c09a",
    "eventID": "19fe4c10-f57e-4cb7-a2bc-6b5c30233592",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
```

Answer

You can find the "CloseAccount" event in the CloudTrail of the Organizations management account.  
When checking CloudTrail events, please check "us-east-1".  
The following images are in Japanese, but were confirmed by my console.  
![closeaccount](/media/postImages/original/IMtwPkscEXRhusgQXx4nE5mQ)

more details needed about terminated AWS account

相关内容