DeleteRolePermissionsBoundary
AWS
DeleteRolePermissionsBoundary
Event
Removes the permissions boundary from an IAM role, potentially expanding the role’s maximum effective permissions.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Removing permission boundaries eliminates security guardrails, potentially granting an identity unrestricted access to cloud resources.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — having previously gained iam:* on a developer role through a misconfigured policy — removes the permissions boundary from OccamyPipelineRole, lifting the cap on the role’s effective permissions. The role’s policies still grant broad pipeline access, but without the boundary it can now do anything those policies imply (which include iam:PassRole to admin roles in some setups). T1548 + T1685.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:38:11Z", "eventSource": "iam.amazonaws.com", "eventName": "DeleteRolePermissionsBoundary", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "roleName": "OccamyPipelineRole" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000011110110", "eventID": "90000000-0000-4000-8000-000011110111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Defense Impairment
Techniques:
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...