AWS IAM Account Password Policy Deleted

  1[metadata]
  2creation_date = "2026/06/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies deletion of the AWS account password policy via DeleteAccountPasswordPolicy. The account password policy
 11enforces minimum password requirements (length, complexity, rotation, and reuse) for all IAM users in the account.
 12Deleting it removes those requirements account-wide, weakening authentication and easing follow-on credential-based
 13attacks. This is an account-level change that legitimately occurs only during deliberate administration, so its deletion
 14by an unexpected principal warrants review.
 15"""
 16false_positives = [
 17    """
 18    Identity and platform teams or infrastructure-as-code may delete or replace the account password policy during
 19    governance changes. Verify the principal in `aws.cloudtrail.user_identity.arn` against approved change records, and
 20    confirm whether a replacement policy was applied shortly after. Known administration roles and automation can be
 21    excluded after validation.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS IAM Account Password Policy Deleted"
 29note = """## Triage and analysis
 30
 31### Investigating AWS IAM Account Password Policy Deleted
 32
 33The account password policy is an account-wide control that sets minimum password length, character complexity, maximum age, and reuse-prevention for all IAM users. `DeleteAccountPasswordPolicy` removes it entirely, reverting the account to no enforced password requirements — which weakens authentication and can facilitate credential attacks or mask weak credentials created later. Because this is a single, account-level, high-impact change, it should be deliberate and rare.
 34
 35### Possible investigation steps
 36
 37- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original`.
 38- Determine whether a replacement policy was set shortly after (`UpdateAccountPasswordPolicy`) or whether the account was left with no policy.
 39- Confirm whether the change aligns with an approved governance change.
 40- Correlate with recent activity by the same principal, such as creation of IAM users or login profiles, or other defense-evasion actions (CloudTrail/logging changes) that may indicate a broader effort to weaken controls.
 41
 42### False positive analysis
 43
 44- Approved governance or infrastructure-as-code may delete/replace the policy. Confirm the change is expected and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation.
 45- Note: AWS GuardDuty also surfaces account password policy changes via `Stealth:IAMUser/PasswordPolicyChange`; correlate if GuardDuty is enabled.
 46
 47### Response and remediation
 48
 49- If the deletion is unauthorized, restore an appropriate account password policy (`UpdateAccountPasswordPolicy`) that meets your organization's standards, and review any IAM users or login profiles created while no policy was enforced.
 50- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:DeleteAccountPasswordPolicy` and `iam:UpdateAccountPasswordPolicy` to a small set of trusted administrators.
 51
 52"""
 53references = [
 54    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html",
 55    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountPasswordPolicy.html",
 56]
 57risk_score = 47
 58rule_id = "283f6c2a-9811-4239-9a40-52b066c67f99"
 59severity = "medium"
 60tags = [
 61    "Domain: Cloud",
 62    "Domain: Identity",
 63    "Data Source: AWS",
 64    "Data Source: Amazon Web Services",
 65    "Data Source: AWS IAM",
 66    "Use Case: Threat Detection",
 67    "Tactic: Defense Evasion",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "query"
 72
 73query = '''
 74data_stream.dataset: "aws.cloudtrail"
 75    and event.provider: "iam.amazonaws.com"
 76    and event.action: "DeleteAccountPasswordPolicy"
 77    and event.outcome: "success"
 78    and not aws.cloudtrail.user_identity.type: "AWSService"
 79    and not user_agent.original: (*terraform* or *pulumi* or *ansible*)
 80    and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)
 81    and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com")
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1556"
 89name = "Modify Authentication Process"
 90reference = "https://attack.mitre.org/techniques/T1556/"
 91
 92[rule.threat.tactic]
 93id = "TA0005"
 94name = "Defense Evasion"
 95reference = "https://attack.mitre.org/tactics/TA0005/"
 96
 97[rule.investigation_fields]
 98field_names = [
 99    "@timestamp",
100    "user.name",
101    "user_agent.original",
102    "source.ip",
103    "aws.cloudtrail.user_identity.arn",
104    "aws.cloudtrail.user_identity.type",
105    "aws.cloudtrail.user_identity.access_key_id",
106    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
107    "aws.cloudtrail.request_parameters",
108    "event.action",
109    "event.outcome",
110    "cloud.account.id",
111    "cloud.region",
112]