Skip to content

DetachRolePolicy

AWS

DetachRolePolicy

service: AWS - IAM
techniques:

Event

Detaches a managed IAM policy from a role, removing those permissions from the role’s effective policy.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — operating with a session he obtained earlier — detaches the IncidentResponseEnforcementPolicy (a custom policy attaching CloudWatch alarm + GuardDuty notification permissions) from the IncidentResponseRole. By stripping defenses from the IR role, follow-up destructive actions (snapshot deletion, log tampering) escape the role’s incident-response automation that would otherwise self-heal them. T1685 + T1548.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T20:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:18:46Z",
"eventSource": "iam.amazonaws.com",
"eventName": "DetachRolePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"roleName": "IncidentResponseRole",
"policyArn": "arn:aws:iam::555123456789:policy/IncidentResponseEnforcementPolicy"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000100101100",
"eventID": "90000000-0000-4000-8000-000100101101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Privilege Escalation

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...