Skip to content

secretmanager.secrets.delete

GCP

secretmanager.secrets.delete

service: GCP - Secret Manager
techniques:

Event

Permanently deletes a secret and all of its versions from GCP Secret Manager.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco deletes the bowtruckle-prod-db-master-pass secret, which holds the rotating master password for the production Cloud SQL instance. Because Secret Manager has no soft-delete, every version of that secret (including all historical rotations) is destroyed immediately. Any pipeline or workload that fetches this secret on the next rotation cycle (or restart) fails authentication catastrophically — a destructive-impact denial-of-service against production. Notably, the deletion happens after Draco has already exfiltrated the secret value via AccessSecretVersion — destruction here is anti-forensics + DoS, not the credential-theft objective.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.secrets.delete invocation-id/90000000000000000000010000000001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T17:39:51.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "secretmanager.googleapis.com",
"methodName": "google.cloud.secretmanager.v1.SecretManagerService.DeleteSecret",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod/secrets/bowtruckle-prod-db-master-pass",
"permission": "secretmanager.secrets.delete",
"granted": true,
"resourceAttributes": {
"service": "secretmanager.googleapis.com",
"name": "projects/fantasticlogs-prod/secrets/bowtruckle-prod-db-master-pass",
"type": "secretmanager.googleapis.com/Secret"
}
}
],
"resourceName": "projects/fantasticlogs-prod/secrets/bowtruckle-prod-db-master-pass",
"request": {
"@type": "type.googleapis.com/google.cloud.secretmanager.v1.DeleteSecretRequest",
"name": "projects/fantasticlogs-prod/secrets/bowtruckle-prod-db-master-pass",
"etag": "BwSAMPLEetag10001="
},
"response": {
"@type": "type.googleapis.com/google.protobuf.Empty"
}
},
"insertId": "evt010000000001",
"resource": {
"type": "audited_resource",
"labels": {
"project_id": "fantasticlogs-prod",
"method": "google.cloud.secretmanager.v1.SecretManagerService.DeleteSecret",
"service": "secretmanager.googleapis.com"
}
},
"timestamp": "2026-04-15T17:39:51.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T17:39:51.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Impact Defense Impairment

Techniques:
  • T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...