Skip to content

DeleteRolePolicy

AWS

DeleteRolePolicy

service: AWS - IAM
techniques:

Event

Deletes an inline policy embedded directly in an IAM role.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.

Log Source

CloudTrail

Sample Event

Adversarial. Draco deletes the inline policy DenyDestructiveOps that was on OccamyPipelineRole — an explicit-deny guardrail that was preventing the role from deleting RDS/EBS resources. With the inline deny removed, the role’s other allow policies become effective. T1685 + T1548.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:36:33Z",
"eventSource": "iam.amazonaws.com",
"eventName": "DeleteRolePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"roleName": "OccamyPipelineRole",
"policyName": "DenyDestructiveOps"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000011111000",
"eventID": "90000000-0000-4000-8000-000011111001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Privilege Escalation

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...