heroui logo

AWS IAM Delete Policy

Splunk Security Content

View Source
Summary
The AWS IAM Delete Policy detection rule is designed to monitor and alert on the deletion of IAM policies within an AWS environment. This analytic takes advantage of AWS CloudTrail logs, specifically targeting the `DeletePolicy` events, while filtering out events generated by AWS internal services. The ability to delete IAM policies poses significant risks if conducted by unauthorized users, as it could lead to privilege escalations or unauthorized access due to weakened access control mechanisms. By monitoring for these deletions, organizations can maintain effective governance and safeguard their AWS resources against potential malicious activities. The detection logic utilizes a search query that tracks the source of the deletion request, the user responsible, and any related error messages, providing a comprehensive view of IAM policy modifications.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
  • Cloud Storage
ATT&CK Techniques
  • T1098
Created: 2024-11-14