DeleteUser
AWS
DeleteUser
Event
Permanently deletes an IAM user; all attached policies, group memberships, and keys must be removed first.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Resource destruction eliminates data and services that may be difficult or impossible to recover, especially without adequate backups.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — having already removed Hermione’s login profile (DeleteLoginProfile), her access keys (DeleteAccessKey), and her MFA — finishes the lockout by deleting her IAM user entirely. T1531 + T1685. The chain (LoginProfile → AccessKey → DeactivateMFA → DeleteVirtualMFADevice → DetachUserPolicy → DeleteUser) is highly characteristic of account-removal activity.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:01:48Z", "eventSource": "iam.amazonaws.com", "eventName": "DeleteUser", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "userName": "hermione" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000100000000", "eventID": "90000000-0000-4000-8000-000100000001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Impact Defense Impairment
Techniques:
- T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...