DetachUserPolicy
AWS
DetachUserPolicy
Event
Detaches a managed IAM policy from an IAM user, removing those permissions from the user.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
CloudTrail
Sample Event
Adversarial. Draco detaches the DenyDangerousActionsBoundary permissions-boundary-style policy from his own user (draco). The policy was attached as a quarantine measure during incident triage — removing it lets him resume privileged operations. Same-user defense-bypass (userIdentity.userName == requestParameters.userName) is a high-fidelity privesc/defense-impairment signal (T1685 + T1548).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T20:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:24:03Z", "eventSource": "iam.amazonaws.com", "eventName": "DetachUserPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "userName": "draco", "policyArn": "arn:aws:iam::555123456789:policy/DenyDangerousActionsBoundary" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000100101110", "eventID": "90000000-0000-4000-8000-000100101111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Privilege Escalation
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...