Delete IAM Policy
An adversary may attempt to delete an IAM policy within an account, to alter legitimate access or block administrative activity.
|policy||str||ARN of the IAM policy to delete||EXAMPLEARNHERE|
aws iam delete-policy --policy-arn EXAMPLEARNHERE
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:DeletePolicy AND eventSource:*.iam.amazonaws.com
--- title: Delete IAM Policy id: d24b1d06-5da8-47a6-b3e2-be701113cf6e status: experimental author: Nick Jones date: 2020-06-18 description: An adversary may attempt to delete an IAM policy within an account, to alter legitimate access or block administrative activity. logsource: service: cloudtrail detection: selection_source: - eventSource: "*.iam.amazonaws.com" events: - eventName: "DeletePolicy" condition: selection_source AND events level: low tags: - attack.t1089