By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

more details needed about terminated AWS account

0

I want to know who closed my account but it is post 90 days of closure now, and seems to be terminated. However, I would like to know when the acccount was first closed and who closed it as it comes under organization.

Topics
Management & Governance
Tags
AWS OrganizationsAWS Account Management
Language
English
priromauld
asked a year ago218 views
2 Answers
0

You can find the "CloseAccount" event in the CloudTrail of the Organizations management account.
When checking CloudTrail events, please check "us-east-1".
The following images are in Japanese, but were confirmed by my console.
closeaccount

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
0

Hi, CloudTrail captures all API calls for AWS Organizations as events, including CloseAccount, with the following user identity information in the log entry:

  • Whether the request was made with root user or IAM user credentials
  • Whether the request was made with temporary security credentials for an IAM role or a federated user
  • Whether the request was made by another AWS service

However, CloudTrail will only show the results of the CloudTrail Event History for the last 90 days, so you must have configured a CloudTrail trail to enable continuous delivery of CloudTrail events to an Amazon S3 bucket, or you won't be able to see them. Did you already have it configured?

If so, then you can use Amazon Athena to query data in S3. This is an example of CloseAccount log entry, extracted from the AWS documentation, which can serve as a reference.

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
        "arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AIDAMVNPBQA3EXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/my-admin-role",
                "accountId": "111122223333",
                "userName": "my-session-id"
            },
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2022-03-18T18:17:06Z"
            }
        }
    },
    "eventTime": "2022-03-18T18:17:06Z",
    "eventSource": "organizations.amazonaws.com",
    "eventName": "CloseAccount",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.168.0.1",
    "userAgent":  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
    "requestParameters": {
        "accountId": "555555555555"
    },
    "responseElements": null,
    "requestID": "e28932f8-d5da-4d7a-8238-ef74f3d5c09a",
    "eventID": "19fe4c10-f57e-4cb7-a2bc-6b5c30233592",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
profile picture
EXPERT
Mikel Del Tio
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content