AWS_CAN_DELETE_ACCESS_KEY

Summary

Description

AWS_CAN_DELETE_ACCESS_KEY represents the ability to delete an existing access key from an IAM user.

By itself, this action can cause account disruption. In attack-path context, it is frequently used to:

• Remove an existing key when the target user already has two keys.

• Free a key slot, then create attacker-controlled credentials via AWS_CAN_CREATE_ACCESS_KEY.

• Replace legitimate credentials with attacker-managed credentials for persistence.

Identification

AWS CLI

Check whether a principal can delete access keys on a target user:

List existing target keys:

AWS Console

• Open IAM -> Users -> select target user.

• Open Security credentials.

• Review access keys and delegated permissions for key management.

Exploitation

AWS CLI

Delete an existing key:

Common chain:

1. Delete key to free slot (AWS_CAN_DELETE_ACCESS_KEY).

2. Create attacker key (AWS_CAN_CREATE_ACCESS_KEY).

Mitigation

• Restrict iam:DeleteAccessKey to dedicated identity lifecycle processes.

• Separate duties for key deletion and key creation where possible.

• Alert on high-value users whose keys are deleted outside approved windows.

• Require strong change control for IAM credential management actions.

Detection

Monitor CloudTrail:

• Event source: iam.amazonaws.com

• Event name: DeleteAccessKey

Example lookup:

Correlate with near-term CreateAccessKey activity on the same target user.

References

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccessKey.html

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html

• https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/index.html