Skip to content
Threat Feed
medium advisory

AWS IAM Policy Deletion Detection

Detection of AWS IAM policy deletion events, which could indicate malicious activity by a compromised account or insider threat.

This brief focuses on the detection of AWS Identity and Access Management (IAM) policy deletion events. While legitimate IAM policy changes are common, the unauthorized or malicious deletion of policies can disrupt cloud infrastructure, leading to denial of service or privilege escalation. The detection focuses on activity within AWS environments and aims to identify potentially malicious actors removing IAM policies. This alert helps security teams quickly identify and respond to potentially malicious modifications of cloud infrastructure.

Attack Chain

  1. Attacker gains initial access to an AWS account, possibly through compromised credentials or a vulnerability.
  2. The attacker enumerates existing IAM policies to understand the permission structure.
  3. Attacker identifies a target IAM policy to disable or delete.
  4. The attacker uses AWS CLI or API calls to initiate the deletion of the IAM policy.
  5. AWS CloudTrail logs record the DeletePolicy event with details about the actor, policy ARN, and timestamp.
  6. The policy is removed from the AWS environment.
  7. Services or users relying on the deleted policy lose permissions, potentially causing disruption.
  8. Attacker attempts to cover tracks by deleting relevant CloudTrail logs (requires elevated privileges).

Impact

Successful deletion of IAM policies can lead to significant disruption of AWS environments. Services and users that depend on the deleted policy will lose the associated permissions, potentially causing denial of service or privilege escalation scenarios. This could affect critical applications, data access, and overall infrastructure stability. The scope of the impact depends on the importance and breadth of the deleted policy, potentially affecting entire departments or organizations.

Detection coverage 2

Detect AWS IAM Policy Deletion

medium

Detects the deletion of IAM policies within an AWS environment by monitoring CloudTrail logs.

sigma tactics: impact techniques: T1485 sources: cloudtrail, aws

Detect AWS IAM Policy Deletion by Unusual User Agent

high

Detects IAM policy deletion events triggered by unusual user agents, potentially indicating compromised credentials.

sigma tactics: credential_access techniques: T1078 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →