« AWS IAM Group Creation AWS IAM Login Profile Added for Root »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

AWS IAM Group Deletion

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS IAM Group Deletion

edit

Detects when an IAM group is deleted using the DeleteGroup API call. Deletion of an IAM group may represent a malicious attempt to remove audit trails, disrupt operations, or hide adversary activity (for example after using the group briefly for privileged access). This can be an indicator of impact or cleanup in an attack lifecycle.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS IAM
  • Tactic: Impact
  • Resources: Investigation Guide

Version: 210

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating AWS IAM Group Deletion

Attackers sometimes remove groups to erase evidence, disrupt operations, or prevent users from receiving needed permissions (Impact). Deletion can also follow malicious cleanup after attaching policies and using the group briefly. This alert fires on DeleteGroup API call. Consider intentional disruption or covering tracks, particularly if the group was privileged or recently modified.

Possible investigation steps

  • Identify the actor and environment
  • Review aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id.
  • Check source.ip, user_agent.original, cloud.account.id, cloud.region for atypical activity.
  • Determine what was lost
  • From aws.cloudtrail.request_parameters, capture groupName.
  • Use history or logs to identify existing members and attached policies prior to deletion (ex: GetGroup, ListAttachedGroupPolicies).
  • Determine if the group contained privileged roles/policies that could have been weaponized.
  • Correlate with related activity
  • Look in the prior 1–24h for DetachGroupPolicy, RemoveUserFromGroup, DeleteGroupPolicy, which often precede deletion in adversary cleanup workflows.
  • After deletion, monitor for creation of new similarly-named groups, or re-attachment of policies to other groups/roles.

False positive analysis

  • Projects & services that are being decommissioned often require group deletion. Confirm through internal inventory and change control.
  • Sandbox or dev accounts frequently create and delete groups; ensure the environment context is understood.

Response and remediation

  • Containment: If deletion was unauthorized, restrict the actor’s IAM privileges and block further configuration changes.
  • Investigation and scoping: Recover details of the deleted group (members, policies) from logs or AWS Config, and determine the impact of the deletion (which users lost membership, service account disruption).
  • Recovery and hardening: Recreate the group if necessary, restore intended policies and memberships, enforce change-control for group deletions, restrict iam:DeleteGroup privileges, and create alerts for destructive IAM operations.

Additional information

AWS Security Best Practices

Rule query

edit
event.dataset: aws.cloudtrail and
    event.provider: iam.amazonaws.com and
    event.action: DeleteGroup and
    event.outcome: success

Framework: MITRE ATT&CKTM

« AWS IAM Group Creation AWS IAM Login Profile Added for Root »