DeleteObject
AWS
DeleteObject
Event
Deletes a single object from an S3 bucket; with versioning enabled, a delete marker is created instead.
Security Context
- Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.
Log Source
CloudTrail
Sample Event
Adversarial. Draco deletes a single high-value object — the OCCAMY ingest manifest that documents the data lake schema — to break downstream parsers. Single-key targeted destruction. T1485. (S3 data events must be enabled on the trail to capture this.)
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:55:11Z", "eventSource": "s3.amazonaws.com", "eventName": "DeleteObject", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "[aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6]", "requestParameters": { "bucketName": "fantasticlogs-occamy-ingest", "Host": "fantasticlogs-occamy-ingest.s3.us-east-1.amazonaws.com", "key": "raw/cloudtrail/2026-04-15/manifest.json" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "bytesTransferredOut": 0 }, "requestID": "PXEXAMPLE123ABCD", "eventID": "90000000-0000-4000-8000-000011110011", "readOnly": false, "resources": [ { "type": "AWS::S3::Object", "ARN": "arn:aws:s3:::fantasticlogs-occamy-ingest/raw/cloudtrail/2026-04-15/manifest.json" }, { "accountId": "555123456789", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::fantasticlogs-occamy-ingest" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "555123456789", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "fantasticlogs-occamy-ingest.s3.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Impact
Techniques:
- T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...