How to check from cloud trail deleted policies?

Question

We have one role which has 8 policies attached to it. One policy has been removed by someone, now how to identify when it was removed. How to check from cloud trail?

score 3 · Answer 1 · answered Nov 14 '20 at 12:34

There are two possible event types, depending on if a managed policy or an inline policy has been removed from the role:

DetachRolePolicy for managed policies
DeleteRolePolicy for inline policies

You can filter the CloudTrail event history by either of these to find and analyze the respective events.

Please note that if you haven’t explicitly created a trail in AWS CloudTrail, the events are only retained for 90 days.

score -1 · Answer 2 · answered Nov 14 '20 at 12:31

-1

I got the answer, I can find it in cloudtrail event history. enter image description here

answered Nov 14 '20 at 12:31

bamishr

410
1
6
23

How to check from cloud trail deleted policies?

2 Answers2