DeleteEventDataStore
AWS
DeleteEventDataStore
Event
Deletes a CloudTrail Lake event data store, destroying stored forensic evidence and audit logs.
Security Context
- CloudTrail Lake stores long-term audit data used for forensic investigations; deleting an event data store destroys historical evidence of attacker activity that cannot be recovered.
- This is a high-severity defense impairment action that indicates an adversary is actively attempting to cover their tracks after completing their objectives.
Log Source
CloudTrail
Sample Event
Adversarial. Draco deletes the CloudTrail Lake event data store that holds 7-day forensic data for us-east-1 after his other tracks-covering steps. Because Lake stores are queryable retroactively, this is high-priority cleanup for a serious actor. T1685.002.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:36:18Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "DeleteEventDataStore", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "eventDataStore": "arn:aws:cloudtrail:us-east-1:555123456789:eventdatastore/60000000-0000-4000-8000-000100000000" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000011011110", "eventID": "90000000-0000-4000-8000-000011011111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...