EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

AWS IAM Delete Policy

The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment.

Detection Query

`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com)
  | rename user_name as user
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY signature dest user
       user_agent src vendor_account
       vendor_region vendor_product
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `aws_iam_delete_policy_filter`

Author

Michael Haag, Splunk

Data Sources

AWS CloudTrail DeletePolicy

References

Raw Content
name: AWS IAM Delete Policy
id: ec3a9362-92fe-11eb-99d0-acde48001122
version: 8
creation_date: '2021-04-06'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment.
data_source:
    - AWS CloudTrail DeletePolicy
search: |-
    `cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com)
      | rename user_name as user
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY signature dest user
           user_agent src vendor_account
           vendor_region vendor_product
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `aws_iam_delete_policy_filter`
how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.
known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.
references:
    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html
    - https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html
analytic_story:
    - AWS IAM Privilege Escalation
asset_type: AWS Account
mitre_attack_id:
    - T1098
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: access
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail
      test_type: unit