google.iam.admin.v1.DeleteServiceAccountKey
Event
Deletes a service account key, potentially removing evidence of attacker-created credentials.
Security Context
- Deleting a service account key removes the credential and its metadata from IAM, erasing evidence that the key was ever created and preventing forensic analysis of key usage patterns.
- Adversaries delete keys they previously created as a cleanup step after establishing alternative persistence mechanisms, covering tracks from incident responders reviewing service account key inventories.
Log Source
Cloud Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1070 — Indicator Removal — Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions.