Skip to content
TheCloud.Events

google.iam.admin.v1.DeleteServiceAccount

CSP: GCP
Tactics:
Impact
Techniques:
T1531
Tags:
GCP IAM

Event

Deletes a service account, disrupting workloads and applications that depend on it for authentication.

Security Context

  • Deleting a service account immediately revokes all associated keys and tokens, breaking authentication for every workload, application, and CI/CD pipeline that depends on it.
  • Adversaries delete service accounts to cause operational disruption, deny legitimate access during an incident, or cover tracks by removing the identity used in the attack.

Log Source

Cloud Audit Logs

Sample Event

MITRE ATT&CK Mapping

Tactics: Impact

Techniques:
  • T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.