DeleteLoginProfile
AWS
DeleteLoginProfile
Event
Removes an IAM user’s console password, preventing them from signing in to the AWS Management Console.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Resource destruction eliminates data and services that may be difficult or impossible to recover, especially without adequate backups.
Log Source
CloudTrail
Sample Event
Adversarial. Draco deletes Hermione’s console login profile (her console password) so she can’t log in to lock his session out — a clean account-takeover lockout move. Pairs with T1531 (Account Access Removal) and T1685. The targeted user is Hermione because she’s the IAM admin most likely to revoke Draco.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:55:48Z", "eventSource": "iam.amazonaws.com", "eventName": "DeleteLoginProfile", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "userName": "hermione" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000011101000", "eventID": "90000000-0000-4000-8000-000011101001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Impact Defense Impairment
Techniques:
- T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...