> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/aws/aws_can_delete_access_key.md). # AWS\_CAN\_DELETE\_ACCESS\_KEY ## Summary | | | | ------------------------------ | ----------------------------------------- | | **FSProtect ACL Alias** | AWS\_CAN\_DELETE\_ACCESS\_KEY | | **Edge Type** | Attack Path | | **Affected Object Types** | IAM Users | | **Exploitation Certainty** | Certain | | **AWS IAM Action / Condition** | `iam:DeleteAccessKey` for target IAM user | ## Description `AWS_CAN_DELETE_ACCESS_KEY` represents the ability to delete an existing access key from an IAM user. By itself, this action can cause account disruption. In attack-path context, it is frequently used to: * Remove an existing key when the target user already has two keys. * Free a key slot, then create attacker-controlled credentials via [`AWS_CAN_CREATE_ACCESS_KEY`](https://docs.forestall.io/fsprotect/edges/aws/aws_can_create_access_key). * Replace legitimate credentials with attacker-managed credentials for persistence. ## Identification ### AWS CLI Check whether a principal can delete access keys on a target user: ```bash aws iam simulate-principal-policy \ --policy-source-arn arn:aws:iam::123456789012:user/AnalystUser \ --action-names iam:DeleteAccessKey \ --resource-arns arn:aws:iam::123456789012:user/TargetUser ``` List existing target keys: ```bash aws iam list-access-keys --user-name TargetUser ``` ### AWS Console * Open **IAM** -> **Users** -> select target user. * Open **Security credentials**. * Review access keys and delegated permissions for key management. ## Exploitation ### AWS CLI Delete an existing key: ```bash aws iam delete-access-key \ --user-name TargetUser \ --access-key-id AKIAEXAMPLEKEYID ``` Common chain: 1. Delete key to free slot (`AWS_CAN_DELETE_ACCESS_KEY`). 2. Create attacker key (`AWS_CAN_CREATE_ACCESS_KEY`). ## Mitigation * Restrict `iam:DeleteAccessKey` to dedicated identity lifecycle processes. * Separate duties for key deletion and key creation where possible. * Alert on high-value users whose keys are deleted outside approved windows. * Require strong change control for IAM credential management actions. ## Detection Monitor CloudTrail: * **Event source**: `iam.amazonaws.com` * **Event name**: `DeleteAccessKey` Example lookup: ```bash aws cloudtrail lookup-events \ --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteAccessKey ``` Correlate with near-term `CreateAccessKey` activity on the same target user. ## References * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/aws/aws_can_delete_access_key.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.