DeleteLogStream
AWS
DeleteLogStream
Event
Permanently deletes a log stream and all its events from within a CloudWatch Logs log group.
Security Context
- Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.
Log Source
CloudTrail
Sample Event
Adversarial. Draco deletes a single log stream (555123456789_CloudTrail_us-east-1_20260415) inside the CloudTrail Logs group — narrower than DeleteLogGroup, so it doesn’t trip the broader log-group-deleted alarm if the defenders only watch the parent. T1685.002.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:18:12Z", "eventSource": "logs.amazonaws.com", "eventName": "DeleteLogStream", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "logGroupName": "fantasticlogs-cloudtrail-management", "logStreamName": "555123456789_CloudTrail_us-east-1_20260415" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000011101010", "eventID": "90000000-0000-4000-8000-000011101011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "logs.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...