DeleteBucketPolicy
AWS
DeleteBucketPolicy
Event
Removes the resource-based policy from an S3 bucket, reverting to default access controls.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
Log Source
CloudTrail
Sample Event
Adversarial. Draco removes the bucket policy on fantasticlogs-niffler-archive so that a previously-restrictive resource policy (e.g., one that limited access to OccamyPipelineRole) is gone. Subsequent cross-account GetObject calls from 555666661337 will then succeed. This is the T1685 defense-impairment + T1530 collection setup.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:14:02Z", "eventSource": "s3.amazonaws.com", "eventName": "DeleteBucketPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "bucketName": "fantasticlogs-niffler-archive", "Host": "fantasticlogs-niffler-archive.s3.us-east-1.amazonaws.com" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "bytesTransferredOut": 0 }, "requestID": "90000000-0000-4000-8000-000011010000", "eventID": "90000000-0000-4000-8000-000011010001", "readOnly": false, "resources": [ { "accountId": "555123456789", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::fantasticlogs-niffler-archive" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "fantasticlogs-niffler-archive.s3.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Collection
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.