DeleteAccessKey
AWS
DeleteAccessKey
Event
Permanently deletes an IAM user’s access key, revoking the associated programmatic access credentials.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Resource destruction eliminates data and services that may be difficult or impossible to recover, especially without adequate backups.
Log Source
CloudTrail
Sample Event
Legitimate. Hermione (IAM admin) rotates Ron’s old OCCAMY pipeline access key after a planned key rotation — Ron has already been issued a new key, and Hermione removes the old one. This is the legitimate framing of the API. The adversarial flip would be Draco deleting a defender’s keys to lock them out (T1531) — flagged in notes.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDAHERM10NE000ADM1N", "arn": "arn:aws:iam::555123456789:user/hermione", "accountId": "555123456789", "accessKeyId": "AKIAHERM10NEEXAMPLE1", "userName": "hermione", "sessionContext": { "attributes": { "creationDate": "2026-04-15T14:02:33Z", "mfaAuthenticated": "true" } } }, "eventTime": "2026-04-15T14:21:09Z", "eventSource": "iam.amazonaws.com", "eventName": "DeleteAccessKey", "awsRegion": "us-east-1", "sourceIPAddress": "198.51.100.42", "userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/iam.delete-access-key", "requestParameters": { "userName": "ron", "accessKeyId": "AKIAR0NWEA5LEYEXAMP2" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000011001010", "eventID": "90000000-0000-4000-8000-000011001011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Impact
Techniques:
- T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...