Skip to content

Delete IAM Policy

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to delete an IAM policy within an account, to alter legitimate access or block administrative activity.

MITRE IDs

Required Permissions

  • iam:DeletePolicy

Required Parameters

Name Type Description Example Value
policy str ARN of the IAM policy to delete EXAMPLEARNHERE

Attacker Action

aws iam delete-policy --policy-arn EXAMPLEARNHERE

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:DeletePolicy AND eventSource:*.iam.amazonaws.com  

Sigma Definition

---
title: Delete IAM Policy
id: d24b1d06-5da8-47a6-b3e2-be701113cf6e
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to delete an IAM policy within an account, to alter legitimate access or block administrative activity.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "*.iam.amazonaws.com"
  events:
    - eventName: "DeletePolicy"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089