google.iam.admin.v1.DeleteServiceAccountKey
GCP
google.iam.admin.v1.DeleteServiceAccountKey
Event
Deletes a service account key, potentially removing evidence of attacker-created credentials.
Security Context
- Deleting a service account key removes the credential and its metadata from IAM, erasing evidence that the key was ever created and preventing forensic analysis of key usage patterns.
- Adversaries delete keys they previously created as a cleanup step after establishing alternative persistence mechanisms, covering tracks from incident responders reviewing service account key inventories.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco deletes the SA key he created in the pilot’s CreateServiceAccountKey event — key fingerprint 60000000000000000000000000000001 on occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com. Now that he has a working access token (from the impersonation chain via GenerateAccessToken), the long-lived JSON key is no longer needed and is itself a forensic liability. Deleting it removes the key from the IAM key inventory that incident responders enumerate, and removes the metadata trail of when the key was last used. Cleanup is a hallmark T1070 step.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.service-accounts.keys.delete invocation-id/90000000000000000000001111110010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T17:33:21.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.DeleteServiceAccountKey", "authorizationInfo": [ { "resource": "projects/-/serviceAccounts/100000000000000000001/keys/60000000000000000000000000000001", "permission": "iam.serviceAccountKeys.delete", "granted": true, "resourceAttributes": { "service": "iam.googleapis.com", "name": "projects/-/serviceAccounts/100000000000000000001/keys/60000000000000000000000000000001", "type": "iam.googleapis.com/ServiceAccountKey" } } ], "resourceName": "projects/-/serviceAccounts/100000000000000000001/keys/60000000000000000000000000000001", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.DeleteServiceAccountKeyRequest", "name": "projects/fantasticlogs-prod/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com/keys/60000000000000000000000000000001" }, "response": { "@type": "type.googleapis.com/google.protobuf.Empty" } }, "insertId": "evt001111110010", "resource": { "type": "service_account", "labels": { "email_id": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "project_id": "fantasticlogs-prod", "unique_id": "100000000000000000001" } }, "timestamp": "2026-04-15T17:33:21.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T17:33:21.567890123Z"}MITRE ATT&CK Mapping
Tactics: Stealth
Techniques:
- T1070 — Indicator Removal — Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving suff...