Techniques
Sample rules
AWS IAM Account Password Policy Deleted
- source: elastic
- technicques:
- T1556
Description
Identifies deletion of the AWS account password policy via DeleteAccountPasswordPolicy. The account password policy enforces minimum password requirements (length, complexity, rotation, and reuse) for all IAM users in the account. Deleting it removes those requirements account-wide, weakening authentication and easing follow-on credential-based attacks. This is an account-level change that legitimately occurs only during deliberate administration, so its deletion by an unexpected principal warrants review.
Detection logic
data_stream.dataset: "aws.cloudtrail"
and event.provider: "iam.amazonaws.com"
and event.action: "DeleteAccountPasswordPolicy"
and event.outcome: "success"
and not aws.cloudtrail.user_identity.type: "AWSService"
and not user_agent.original: (*terraform* or *pulumi* or *ansible*)
and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)
and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com")