DeleteBucket
AWS
DeleteBucket
Event
Permanently deletes an S3 bucket; the bucket must be empty before deletion can succeed.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.
Log Source
CloudTrail
Sample Event
Adversarial. Draco deletes the production S3 bucket that holds CloudTrail logs (fantasticlogs-cloudtrail) after he’s already disabled the trail (StopLogging / DeleteTrail would precede). This is the T1485 destructive deletion pattern, paired with T1685 defense impairment. The bucket has to be empty to delete — assume he’s run DeleteObjects first or that lifecycle rules already drained it.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:48:55Z", "eventSource": "s3.amazonaws.com", "eventName": "DeleteBucket", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "bucketName": "fantasticlogs-cloudtrail", "Host": "fantasticlogs-cloudtrail.s3.us-east-1.amazonaws.com" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "bytesTransferredOut": 0 }, "requestID": "90000000-0000-4000-8000-000011001110", "eventID": "90000000-0000-4000-8000-000011001111", "readOnly": false, "resources": [ { "accountId": "555123456789", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::fantasticlogs-cloudtrail" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "fantasticlogs-cloudtrail.s3.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Impact Defense Impairment
Techniques:
- T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...