DetachRolePolicy
AWS
DetachRolePolicy
Event
Detaches a managed IAM policy from a role, removing those permissions from the role’s effective policy.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — operating with a session he obtained earlier — detaches the IncidentResponseEnforcementPolicy (a custom policy attaching CloudWatch alarm + GuardDuty notification permissions) from the IncidentResponseRole. By stripping defenses from the IR role, follow-up destructive actions (snapshot deletion, log tampering) escape the role’s incident-response automation that would otherwise self-heal them. T1685 + T1548.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T20:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:18:46Z", "eventSource": "iam.amazonaws.com", "eventName": "DetachRolePolicy", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "roleName": "IncidentResponseRole", "policyArn": "arn:aws:iam::555123456789:policy/IncidentResponseEnforcementPolicy" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000100101100", "eventID": "90000000-0000-4000-8000-000100101101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Privilege Escalation
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...