AWS IAM Group Deletion

  1[metadata]
  2creation_date = "2020/05/21"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when an IAM group is deleted using the DeleteGroup API call. Deletion of an IAM group may represent a malicious
 11attempt to remove audit trails, disrupt operations, or hide adversary activity (for example after using the group
 12briefly for privileged access). This can be an indicator of impact or cleanup in an attack lifecycle.
 13"""
 14false_positives = [
 15    """
 16    Legitimate group deletion during decommissioning of projects, clean-up of service accounts, or identity lifecycle
 17    changes may trigger this alert. Verify whether the user identity, user agent, and/or hostname should be making
 18    changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known
 19    behavior is causing false positives, it can be exempted from the rule.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS IAM Group Deletion"
 27note = """## Triage and analysis
 28
 29### Investigating AWS IAM Group Deletion
 30
 31Attackers sometimes remove groups to erase evidence, disrupt operations, or prevent users from receiving needed permissions (Impact). Deletion can also follow malicious cleanup after attaching policies and using the group briefly. This alert fires on `DeleteGroup` API call. Consider intentional disruption or covering tracks, particularly if the group was privileged or recently modified.
 32
 33### Possible investigation steps
 34
 35- **Identify the actor and environment**  
 36  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.access_key_id`.  
 37  - Check `source.ip`, `user_agent.original`, `cloud.account.id`, `cloud.region` for atypical activity.
 38
 39- **Determine what was lost**
 40  - From `aws.cloudtrail.request_parameters`, capture `groupName`.  
 41  - Use history or logs to identify existing members and attached policies prior to deletion (ex: `GetGroup`, `ListAttachedGroupPolicies`).  
 42  - Determine if the group contained privileged roles/policies that could have been weaponized.
 43
 44- **Correlate with related activity**
 45  - Look in the prior 1–24h for `DetachGroupPolicy`, `RemoveUserFromGroup`, `DeleteGroupPolicy`, which often precede deletion in adversary cleanup workflows.  
 46  - After deletion, monitor for creation of new similarly-named groups, or re-attachment of policies to other groups/roles.
 47
 48### False positive analysis
 49
 50- Projects & services that are being decommissioned often require group deletion. Confirm through internal inventory and change control.  
 51- Sandbox or dev accounts frequently create and delete groups; ensure the environment context is understood.
 52
 53### Response and remediation
 54
 55- **Containment**: If deletion was unauthorized, restrict the actor’s IAM privileges and block further configuration changes.  
 56- **Investigation and scoping**: Recover details of the deleted group (members, policies) from logs or AWS Config, and determine the impact of the deletion (which users lost membership, service account disruption).  
 57- **Recovery and hardening**: Recreate the group if necessary, restore intended policies and memberships, enforce change-control for group deletions, restrict `iam:DeleteGroup` privileges, and create alerts for destructive IAM operations.
 58
 59### Additional information
 60[AWS Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)
 61"""
 62references = [
 63    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
 64    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html",
 65]
 66risk_score = 21
 67rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a"
 68severity = "low"
 69tags = [
 70    "Domain: Cloud",
 71    "Data Source: AWS",
 72    "Data Source: Amazon Web Services",
 73    "Data Source: AWS IAM",
 74    "Tactic: Impact",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "query"
 79
 80query = '''
 81event.dataset: aws.cloudtrail and 
 82    event.provider: iam.amazonaws.com and 
 83    event.action: DeleteGroup and 
 84    event.outcome: success
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1531"
 92name = "Account Access Removal"
 93reference = "https://attack.mitre.org/techniques/T1531/"
 94
 95
 96[rule.threat.tactic]
 97id = "TA0040"
 98name = "Impact"
 99reference = "https://attack.mitre.org/tactics/TA0040/"
100
101[rule.investigation_fields]
102field_names = [
103    "@timestamp",
104    "user.name",
105    "user_agent.original",
106    "source.ip",
107    "aws.cloudtrail.user_identity.arn",
108    "aws.cloudtrail.user_identity.type",
109    "aws.cloudtrail.user_identity.access_key_id",
110    "event.action",
111    "event.outcome",
112    "cloud.account.id",
113    "cloud.region",
114    "aws.cloudtrail.request_parameters",
115]