Skip to content

DeleteObject

AWS

DeleteObject

service: AWS - S3
tactics:
techniques:

Event

Deletes a single object from an S3 bucket; with versioning enabled, a delete marker is created instead.

Security Context

  • Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.

Log Source

CloudTrail

Sample Event

Adversarial. Draco deletes a single high-value object — the OCCAMY ingest manifest that documents the data lake schema — to break downstream parsers. Single-key targeted destruction. T1485. (S3 data events must be enabled on the trail to capture this.)

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:55:11Z",
"eventSource": "s3.amazonaws.com",
"eventName": "DeleteObject",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "[aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6]",
"requestParameters": {
"bucketName": "fantasticlogs-occamy-ingest",
"Host": "fantasticlogs-occamy-ingest.s3.us-east-1.amazonaws.com",
"key": "raw/cloudtrail/2026-04-15/manifest.json"
},
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"bytesTransferredOut": 0
},
"requestID": "PXEXAMPLE123ABCD",
"eventID": "90000000-0000-4000-8000-000011110011",
"readOnly": false,
"resources": [
{
"type": "AWS::S3::Object",
"ARN": "arn:aws:s3:::fantasticlogs-occamy-ingest/raw/cloudtrail/2026-04-15/manifest.json"
},
{
"accountId": "555123456789",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::fantasticlogs-occamy-ingest"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "555123456789",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "fantasticlogs-occamy-ingest.s3.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Impact

Techniques:
  • T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...