Skip to content

DeleteUser

AWS

DeleteUser

service: AWS - IAM
techniques:

Event

Permanently deletes an IAM user; all attached policies, group memberships, and keys must be removed first.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Resource destruction eliminates data and services that may be difficult or impossible to recover, especially without adequate backups.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — having already removed Hermione’s login profile (DeleteLoginProfile), her access keys (DeleteAccessKey), and her MFA — finishes the lockout by deleting her IAM user entirely. T1531 + T1685. The chain (LoginProfile → AccessKey → DeactivateMFA → DeleteVirtualMFADevice → DetachUserPolicy → DeleteUser) is highly characteristic of account-removal activity.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:01:48Z",
"eventSource": "iam.amazonaws.com",
"eventName": "DeleteUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"userName": "hermione"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000100000000",
"eventID": "90000000-0000-4000-8000-000100000001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Impact Defense Impairment

Techniques:
  • T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...