LogForge Logo LogForge
Home Vendors Search Download Login
Vendors Amazon Web Services CloudTrail IAM Delete Policy Event
Amazon Web Services Logo

IAM Delete Policy Event

Management API call to delete an IAM policy

AWS IAM DeletePolicy API call event with error handling and identity type variations

aws iam policy delete security permissions
JSON Format 12 Fields Low Frequency Generator
Preview Sample View Schema

Overview

Records when an AWS IAM policy is deleted via the DeletePolicy API operation. This is a critical security event as it permanently removes permission definitions that may be attached to users, groups, or roles.

When Generated:

  • When an administrator deletes an IAM policy via AWS Console
  • When DeletePolicy API is called programmatically (CLI, SDK, Terraform)
  • During automated policy cleanup processes
  • When cleaning up test or temporary policies
  • During security incident response (removing compromised policies)

Security Relevance:

Critical

Compliance:

SOC 2 PCI DSS HIPAA SOX ISO 27001 NIST

Frequency Notes:

Low frequency event - policy deletions are infrequent but critical administrative actions

Resources

Tools

Generation Configuration

Base Frequency: 3 events/hour
Time Patterns:
business_hours night_hours weekend
Business Hours Multiplier: 3.0x
Night Hours Multiplier: 0.2x
Weekend Multiplier: 0.1x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name Type Required Format Description Example Possible Values
eventVersion
Source: Random selection from valid CloudTrail versions
 String Required CloudTrail event format version 1.08
1.05 — Older CloudTrail format version
1.08 — Current CloudTrail format version
1.09 — Latest CloudTrail format version
userIdentity.type
Source: Random selection between IAMUser and AssumedRole
 String Required Type of identity that made the API call AssumedRole
IAMUser — Direct IAM user authentication
AssumedRole — Role-based authentication (federated or cross-account)
userIdentity.principalId
Source: Random string with appropriate prefix (AIDA for users, ARO for roles)
 String Required Unique identifier for the principal AIDACKCEVSQ6C2EXAMPLE
eventName
Source: Static value
 String Required The IAM API operation name DeletePolicy
requestParameters.policyArn
Source: Constructed ARN with account ID and policy name
 String Required ARN of the policy being deleted arn:aws:iam::123456789012:policy/AdminPolicy
errorCode
Source: Random selection when error occurs
 String Optional Error code if the operation failed DeleteConflictException
NoSuchEntityException — Policy does not exist
DeleteConflictException — Policy cannot be deleted due to dependencies
AccessDenied — Insufficient permissions to delete policy
errorMessage
Source: Conditional message based on error code
 String Optional Detailed error message when operation fails Cannot delete a policy attached to entities.
sourceIPAddress
Source: Random mix of private and public IPs
 String Required IP address of the API caller 203.0.113.42
userAgent
Source: Random selection from realistic AWS client user agents
 String Required User agent string indicating the client tool used aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0
aws-cli/* — AWS Command Line Interface
console.amazonaws.com — AWS Management Console
aws-sdk-go/* — AWS SDK for Go (often Terraform)
aws-sdk-python/* — AWS SDK for Python (boto3)
userIdentity.sessionContext.attributes.mfaAuthenticated
Source: Random boolean as string
 String Optional Whether the session used multi-factor authentication true
awsRegion
Source: Random selection from common AWS regions
 String Required AWS region where the API call was made us-east-1
managementEvent
Source: Static value (always true for IAM operations)
 Boolean Required Indicates this is a management plane event true

Details

12
Fields
Low
Frequency
6
Tags
iam_delete_policy
Event Type
Tags:
aws iam policy delete security permissions

Feedback

No ratings yet