Name:AWS IAM Delete Policy id:ec3a9362-92fe-11eb-99d0-acde48001122 version:6 date:2025-05-02 author:Michael Haag, Splunk status:production type:Hunting Description:The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment. Data_source:
-AWS CloudTrail DeletePolicy
search:`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | rename user_name as user | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`
how_to_implement:The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives:This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. References: -https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html -https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html drilldown_searches:
: tags: analytic_story: - 'AWS IAM Privilege Escalation' asset_type:AWS Account mitre_attack_id: - 'T1098' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:access
