{
	"id": "8f47ff9b-545f-460f-b8f2-be19401a1b04",
	"created_at": "2026-04-06T00:11:32.580544Z",
	"updated_at": "2026-04-10T13:12:40.590427Z",
	"deleted_at": null,
	"sha1_hash": "1aa5300d070b4ca27e5009b5da6ef08bbb710e75",
	"title": "DisableAWSServiceAccess - AWS Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65599,
	"plain_text": "DisableAWSServiceAccess - AWS Organizations\r\nArchived: 2026-04-05 17:06:47 UTC\r\nPerforming this operation violates a minimum or maximum value limit. For example, attempting to remove the\r\nlast service control policy (SCP) from an OU or root, inviting or creating too many accounts to the organization,\r\nor attaching too many policies to an account, OU, or root. This exception includes a reason that contains\r\nadditional information about the violated limit:\r\nACCOUNT_CANNOT_LEAVE_ORGANIZATION: You attempted to remove the management account\r\nfrom the organization. You can't remove the management account. Instead, after you remove all member\r\naccounts, delete the organization itself.\r\nACCOUNT_CANNOT_LEAVE_WITHOUT_PHONE_VERIFICATION: You attempted to remove an\r\naccount from the organization that doesn't yet have enough information to exist as a standalone account.\r\nThis account requires you to first complete phone verification. Follow the steps at Removing a member\r\naccount from your organization in the AWS Organizations User Guide.\r\nACCOUNT_CREATION_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of accounts\r\nthat you can create in one day.\r\nACCOUNT_CREATION_NOT_COMPLETE: Your account setup isn't complete or your account isn't\r\nfully active. You must complete the account setup before you create an organization.\r\nACTIVE_RESPONSIBILITY_TRANSFER_PROCESS: You cannot delete organization due to an ongoing\r\nresponsibility transfer process. For example, a pending invitation or an in-progress transfer. To delete the\r\norganization, you must resolve the current transfer process.\r\nACCOUNT_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the limit on the number of\r\naccounts in an organization. If you need more accounts, contact AWS Support to request an increase in\r\nyour limit.\r\nOr the number of invitations that you tried to send would cause you to exceed the limit of accounts in your\r\norganization. Send fewer invitations or contact AWS Support to request an increase in the number of\r\naccounts.\r\nNote\r\nDeleted and closed accounts still count toward your limit.\r\nImportant\r\nIf you get this exception when running a command immediately after creating the organization, wait one\r\nhour and try again. After an hour, if the command continues to fail with this error, contact AWS Support.\r\nhttps://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html\r\nPage 1 of 4\n\nALL_FEATURES_MIGRATION_ORGANIZATION_SIZE_LIMIT_EXCEEDED: Your organization has\r\nmore than 5000 accounts, and you can only use the standard migration process for organizations with less\r\nthan 5000 accounts. Use the assisted migration process to enable all features mode, or create a support case\r\nfor assistance if you are unable to use assisted migration.\r\nCANNOT_REGISTER_SUSPENDED_ACCOUNT_AS_DELEGATED_ADMINISTRATOR: You cannot\r\nregister a suspended account as a delegated administrator.\r\nCANNOT_REGISTER_MASTER_AS_DELEGATED_ADMINISTRATOR: You attempted to register the\r\nmanagement account of the organization as a delegated administrator for an AWS service integrated with\r\nOrganizations. You can designate only a member account as a delegated administrator.\r\nCANNOT_CLOSE_MANAGEMENT_ACCOUNT: You attempted to close the management account. To\r\nclose the management account for the organization, you must first either remove or close all member\r\naccounts in the organization. Follow standard account closure process using root credentials.\r\nCANNOT_REMOVE_DELEGATED_ADMINISTRATOR_FROM_ORG: You attempted to remove an\r\naccount that is registered as a delegated administrator for a service integrated with your organization. To\r\ncomplete this operation, you must first deregister this account as a delegated administrator.\r\nCLOSE_ACCOUNT_QUOTA_EXCEEDED: You have exceeded close account quota for the past 30 days.\r\nCLOSE_ACCOUNT_REQUESTS_LIMIT_EXCEEDED: You attempted to exceed the number of\r\naccounts that you can close at a time. \r\nCREATE_ORGANIZATION_IN_BILLING_MODE_UNSUPPORTED_REGION: To create an\r\norganization in the specified region, you must enable all features mode.\r\nDELEGATED_ADMINISTRATOR_EXISTS_FOR_THIS_SERVICE: You attempted to register an AWS\r\naccount as a delegated administrator for an AWS service that already has a delegated administrator. To\r\ncomplete this operation, you must first deregister any existing delegated administrators for this service.\r\nEMAIL_VERIFICATION_CODE_EXPIRED: The email verification code is only valid for a limited\r\nperiod of time. You must resubmit the request and generate a new verification code.\r\nHANDSHAKE_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of handshakes that you\r\ncan send in one day.\r\nINVALID_PAYMENT_INSTRUMENT: You cannot remove an account because no supported payment\r\nmethod is associated with the account. AWS does not support cards issued by financial institutions in\r\nRussia or Belarus. For more information, see Managing your AWS payments.\r\nMASTER_ACCOUNT_ADDRESS_DOES_NOT_MATCH_MARKETPLACE: To create an account in\r\nthis organization, you first must migrate the organization's management account to the marketplace that\r\ncorresponds to the management account's address. All accounts in an organization must be associated with\r\nthe same marketplace.\r\nhttps://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html\r\nPage 2 of 4\n\nMASTER_ACCOUNT_MISSING_BUSINESS_LICENSE: Applies only to the AWS Regions in China. To\r\ncreate an organization, the master must have a valid business license. For more information, contact\r\ncustomer support.\r\nMASTER_ACCOUNT_MISSING_CONTACT_INFO: To complete this operation, you must first provide\r\na valid contact address and phone number for the management account. Then try the operation again.\r\nMASTER_ACCOUNT_NOT_GOVCLOUD_ENABLED: To complete this operation, the management\r\naccount must have an associated account in the AWS GovCloud (US-West) Region. For more information,\r\nsee AWS Organizations in the AWS GovCloud User Guide.\r\nMASTER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To create an organization with this\r\nmanagement account, you first must associate a valid payment instrument, such as a credit card, with the\r\naccount. For more information, see Considerations before removing an account from an organization in the\r\nAWS Organizations User Guide.\r\nMAX_DELEGATED_ADMINISTRATORS_FOR_SERVICE_LIMIT_EXCEEDED: You attempted to\r\nregister more delegated administrators than allowed for the service principal.\r\nMAX_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to exceed the number of\r\npolicies of a certain type that can be attached to an entity at one time.\r\nMAX_TAG_LIMIT_EXCEEDED: You have exceeded the number of tags allowed on this resource.\r\nMEMBER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To complete this operation with this\r\nmember account, you first must associate a valid payment instrument, such as a credit card, with the\r\naccount. For more information, see Considerations before removing an account from an organization in the\r\nAWS Organizations User Guide.\r\nMIN_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to detach a policy from an\r\nentity that would cause the entity to have fewer than the minimum number of policies of a certain type\r\nrequired.\r\nORGANIZATION_NOT_IN_ALL_FEATURES_MODE: You attempted to perform an operation that\r\nrequires the organization to be configured to support all features. An organization that supports only\r\nconsolidated billing features can't perform this operation.\r\nOU_DEPTH_LIMIT_EXCEEDED: You attempted to create an OU tree that is too many levels deep.\r\nOU_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of OUs that you can have in\r\nan organization.\r\nPOLICY_CONTENT_LIMIT_EXCEEDED: You attempted to create a policy that is larger than the\r\nmaximum size.\r\nPOLICY_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of policies that you can\r\nhave in an organization.\r\nhttps://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html\r\nPage 3 of 4\n\nPOLICY_TYPE_ENABLED_FOR_THIS_SERVICE: You attempted to disable service access before you\r\ndisabled the policy type (for example, SECURITYHUB_POLICY). To complete this operation, you must\r\nfirst disable the policy type.\r\nRESPONSIBILITY_TRANSFER_MAX_INBOUND_QUOTA_VIOLATION: You have exceeded your\r\ninbound transfers limit.\r\nRESPONSIBILITY_TRANSFER_MAX_LEVEL_VIOLATION: You have exceeded the maximum length\r\nof your transfer chain.\r\nRESPONSIBILITY_TRANSFER_MAX_OUTBOUND_QUOTA_VIOLATION: You have exceeded your\r\noutbound transfers limit.\r\nRESPONSIBILITY_TRANSFER_MAX_TRANSFERS_QUOTA_VIOLATION: You have exceeded the\r\nmaximum number of inbound transfers allowed in a transfer chain.\r\nSERVICE_ACCESS_NOT_ENABLED:\r\nYou attempted to register a delegated administrator before you enabled service access. Call the\r\nEnableAWSServiceAccess API first.\r\nYou attempted to enable a policy type before you enabled service access. Call the\r\nEnableAWSServiceAccess API first.\r\nTAG_POLICY_VIOLATION: You attempted to create or update a resource with tags that are not\r\ncompliant with the tag policy requirements for this account.\r\nTRANSFER_RESPONSIBILITY_SOURCE_DELETION_IN_PROGRESS: The source organization\r\ncannot accept this transfer invitation because it is marked for deletion.\r\nTRANSFER_RESPONSIBILITY_TARGET_DELETION_IN_PROGRESS: The source organization\r\ncannot accept this transfer invitation because target organization is marked for deletion.\r\nUNSUPPORTED_PRICING: Your organization has a pricing contract that is unsupported.\r\nWAIT_PERIOD_ACTIVE: After you create an AWS account, you must wait until at least four days after\r\nthe account was created. Invited accounts aren't subject to this waiting period.\r\nSource: https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html\r\nhttps://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html"
	],
	"report_names": [
		"API_DisableAWSServiceAccess.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434292,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1aa5300d070b4ca27e5009b5da6ef08bbb710e75.pdf",
		"text": "https://archive.orkl.eu/1aa5300d070b4ca27e5009b5da6ef08bbb710e75.txt",
		"img": "https://archive.orkl.eu/1aa5300d070b4ca27e5009b5da6ef08bbb710e75.jpg"
	}
}