Delete IAM group¶
An adversary may attempt to delete an IAM group within an account, to alter legitimate access or block administrative activity.
|group||str||IAM group to delete||example_group|
aws iam delete-group --group-name example_group
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:DeleteGroup AND eventSource:*.iam.amazonaws.com
--- title: Delete IAM group id: 84d2c61d-2882-4223-880d-5b69dce1c1d4 status: experimental author: Nick Jones date: 2023-07-01 description: An adversary may attempt to delete an IAM group within an account, to alter legitimate access or block administrative activity. logsource: service: cloudtrail detection: selection_source: - eventSource: "*.iam.amazonaws.com" events: - eventName: "DeleteGroup" condition: selection_source AND events level: low tags: - attack.T1531