This rule detects the deletion of the AWS IAM account password policy by monitoring CloudTrail for a successful DeleteAccountPasswordPolicy event from iam.amazonaws.com. The account password policy enforces minimum password length, character complexity, rotation, and reuse prevention for all IAM users; deleting it removes these requirements account-wide, weakening authentication and enabling credential-based attacks or masking weak credentials. Because this is an account-wide, high-impact change, it should be rare and deliberate. The detection uses a CloudTrail data stream (aws.cloudtrail) to identify the DeleteAccountPasswordPolicy action with a successful outcome, while excluding automated infrastructure tools and certain service interactions that legitimately modify policies. The rule maps to MITRE ATT&CK technique T1556 (Modify Authentication Process) under Defense Evasion (TA0005). Investigation fields focus on the actor identity (aws.cloudtrail.user_identity.arn/type/session_issuer.arn), source IP, and user agent, and verify whether a replacement policy was applied (UpdateAccountPasswordPolicy) or if the account was left without a policy. Analysts should confirm alignment with approved governance changes, and correlate with related activity by the same principal (e.g., IAM user creation, login profile changes, or other policy-related actions). False positives may occur from legitimate governance changes or infrastructure-as-code tooling deleting/replacing policies. Validate the principal against change records and exclude known administrators or automation after validation. GuardDuty or similar tooling may surface related changes (e.g., password policy changes) and should be correlated if enabled. Remediation and response steps include restoring an appropriate password policy (via UpdateAccountPasswordPolicy) that meets organizational standards, reviewing IAM users or login profiles created while no policy was enforced, and rotating or restricting credentials for the principal if compromise is suspected. Access to DeleteAccountPasswordPolicy and UpdateAccountPasswordPolicy should be tightly controlled to a small set of trusted administrators.