ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: IF014.005
  • Created: 20th June 2024
  • Updated: 29th April 2025
  • Contributor: The ITM Team

Deletion of Cloud Resources

A subject deliberately or negligently deletes cloud-based resources, leading to the disruption, degradation, or complete interruption of organizational operations. Deletion of critical resources may result in the permanent loss of data, service outages, impaired system performance, or the failure of customer-facing applications. Such actions often violate organizational policies governing change management, data retention, disaster recovery, and access control, and may expose the firm to significant operational, financial, legal, and reputational risks.


  • Characteristics:
    May involve deletion of compute instances, storage buckets, databases, networking components, IAM configurations, or application services.
    Can be motivated by malice (e.g., retaliation, sabotage) or negligence (e.g., misunderstanding scope of permissions, error during unsanctioned activities).
    Deletions may occur directly via administrative consoles, APIs, or CLI tools, often outside of approved change management processes.
    Recovery may be delayed or impossible if backup, replication, or retention mechanisms are improperly configured or bypassed.
    Associated activity often correlates with other early indicators, such as privilege escalation, unauthorized access attempts, or policy circumvention behaviors.


Example Scenario:
A subject with elevated cloud access privileges, dissatisfied with an impending termination, manually deletes production virtual machines and storage buckets without authorization. This leads to an extended outage of the organization’s primary customer platform, resulting in contractual penalties, regulatory reporting obligations, and long-term reputational damage. Post-incident investigation reveals inadequate enforcement of least privilege policies and incomplete backup coverage for critical resources.

Prevention

ID Name Description
PV023Access Reviews

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT064AWS CloudTrail, Resource Deletion

CloudTrail logs by themselves, or in conjunction with CloudWatch, can be used to identify resource deletion events. These logs contain the account that performed the action (within the userIdentity field), a timestamp (within the eventTime field), and more detailed information depending on what resource was deleted. Some eventName examples include; DeleteBucket (For S3 bucket deletion), DeleteDBInstance (For RDS deletion), and TerminateInstances (For EC2 termination).

DT066Azure Activity Log, Resource Deletion

Azure Activity Log can be used to identify resource deletion events by using the search bar to filter by operations related to deletion, such as Delete or Delete Resource. These logs contain the account that performed the action (within the Caller field), a timestamp and more detailed information depending on what resource was deleted (within the Resource, Status, and Properties fields).

DT065GCP Cloud Audit Logs, Resource Deletion

GCP Cloud Audit Logs can be used to identify resource deletion events. These logs contain the account that performed the action (within the Principal field), a timestamp, and more detailed information depending on what resource was deleted. Some query examples include; resource.type="gcs_bucket" and protoPayload.methodName="storage.buckets.delete" for bucket deletion and resource.type="gce_instance" and protoPayload.methodName="v1.compute.instances.delete" for computer instance deletion.