DeleteRolePermissionsBoundary
Event
Removes the permissions boundary from an IAM role, potentially expanding the role’s maximum effective permissions.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Removing permission boundaries eliminates security guardrails, potentially granting an identity unrestricted access to cloud resources.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation Defense Evasion
Techniques:
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine.
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...