Skip to content

DeleteAccessKey

AWS

DeleteAccessKey

service: AWS - IAM
techniques:

Event

Permanently deletes an IAM user’s access key, revoking the associated programmatic access credentials.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Resource destruction eliminates data and services that may be difficult or impossible to recover, especially without adequate backups.

Log Source

CloudTrail

Sample Event

Legitimate. Hermione (IAM admin) rotates Ron’s old OCCAMY pipeline access key after a planned key rotation — Ron has already been issued a new key, and Hermione removes the old one. This is the legitimate framing of the API. The adversarial flip would be Draco deleting a defender’s keys to lock them out (T1531) — flagged in notes.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAHERM10NE000ADM1N",
"arn": "arn:aws:iam::555123456789:user/hermione",
"accountId": "555123456789",
"accessKeyId": "AKIAHERM10NEEXAMPLE1",
"userName": "hermione",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T14:02:33Z",
"mfaAuthenticated": "true"
}
}
},
"eventTime": "2026-04-15T14:21:09Z",
"eventSource": "iam.amazonaws.com",
"eventName": "DeleteAccessKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.42",
"userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/iam.delete-access-key",
"requestParameters": {
"userName": "ron",
"accessKeyId": "AKIAR0NWEA5LEYEXAMP2"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000011001010",
"eventID": "90000000-0000-4000-8000-000011001011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Impact

Techniques:
  • T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...