Users from IAM disappeared out of nowhere.

0

After a year of creating the access policies and their users, there came a day last week when all the users I had created over a period of 5 months disappeared without a trace; only their policies remained. I did not schedule or leave anything related to active scheduled deletion. How can I diagnose this?

asked a month ago57 views
2 Answers
1

Open the CloudTrail console, switch the region to us-east-1 (where all write operations to IAM in the main commercial AWS partition are performed), open the "Event history" view, and set the "Lookup attribute" selection in the event browser to "Event name." Enter DeleteUser as the event to look for.

This will show all the user deletions that have occurred in the account in the past 90 days, along with extensive auditing information, including the exact timestamp, the role/user/other principal that performed the deletion, their IP address, and other details. Events older than 90 days are not available, unless you have a custom trail configured to deliver events to an S3 bucket and/or a CloudWatch log group, but for your change that occurred last week, the default trail will suffice.

EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

Hello,

If your IAM users disappeared unexpectedly, here are possible causes and steps to resolve the issue:

Possible Causes:

  1. Accidental Deletion: Users might have been deleted manually by someone with admin access.
  2. Policies Without Users: If users were deleted but their policies remained, it suggests only the user accounts were removed.
  3. Compromised Security: There might have been unauthorized access, and someone with admin privileges deleted the users.
  4. AWS Organization Policy: A restrictive organizational policy might have removed users.

Steps to Diagnose and Resolve:

  1. Check CloudTrail Logs: Review CloudTrail logs to see if any user deletion actions were recorded. This will help you trace who deleted the users and when.
  2. Review IAM Permissions: Ensure no over-permissive access was granted, allowing unauthorized deletions.
  3. Check Organizational Policies: If using AWS Organizations, review any policies that could have caused the user deletions.
  4. Restore Users: If you have backups (e.g., CloudFormation, AWS Config), you can attempt to restore the deleted users.

https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot.html

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • I dont think SCPs remove users rather than deny actions in IAM on them. But check cloudtrail for what happened to them

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions