google.iam.admin.v1.DeleteServiceAccount
google.iam.admin.v1.DeleteServiceAccount
Event
Deletes a service account, disrupting workloads and applications that depend on it for authentication.
Security Context
- Deleting a service account immediately revokes all associated keys and tokens, breaking authentication for every workload, application, and CI/CD pipeline that depends on it.
- Adversaries delete service accounts to cause operational disruption, deny legitimate access during an incident, or cover tracks by removing the identity used in the attack.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco deletes the bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com service account — the production secrets-management SA used by the BOWTRUCKLE secret-sync pipeline. Every workload that depends on this SA (Secret Manager auto-rotators, KMS unwrap callers in OCCAMY) immediately fails authentication. The blast radius is large enough that the SOC will get production alerts within minutes, but Draco gets exactly that — operational chaos that occupies the response team while he completes other objectives, plus 30 days during which any restore action requires the un-delete API he can revoke from again.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.service-accounts.delete invocation-id/90000000000000000000001111110011 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T17:55:08.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.DeleteServiceAccount", "authorizationInfo": [ { "resource": "projects/-/serviceAccounts/100000000000000000011", "permission": "iam.serviceAccounts.delete", "granted": true, "resourceAttributes": { "service": "iam.googleapis.com", "name": "projects/-/serviceAccounts/100000000000000000011", "type": "iam.googleapis.com/ServiceAccount" } } ], "resourceName": "projects/-/serviceAccounts/100000000000000000011", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.DeleteServiceAccountRequest", "name": "projects/fantasticlogs-prod/serviceAccounts/bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com" }, "response": { "@type": "type.googleapis.com/google.protobuf.Empty" } }, "insertId": "evt001111110011", "resource": { "type": "service_account", "labels": { "email_id": "bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com", "project_id": "fantasticlogs-prod", "unique_id": "100000000000000000011" } }, "timestamp": "2026-04-15T17:55:08.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T17:55:08.567890123Z"}MITRE ATT&CK Mapping
Tactics: Impact
- T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....