Skip to content

DeleteUserPermissionsBoundary

AWS

DeleteUserPermissionsBoundary

service: AWS - IAM
techniques:

Event

Removes the permissions boundary from an IAM user, potentially expanding their maximum effective permissions.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Removing permission boundaries eliminates security guardrails, potentially granting an identity unrestricted access to cloud resources.

Log Source

CloudTrail

Sample Event

Adversarial. Draco removes the permissions boundary from his own IAM user (draco) — his attached policies grant broad write privileges that the boundary had been capping. With the boundary gone, the policy text becomes effective. T1548 + T1685. Same-user operation is a sharp privesc signal.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:39:55Z",
"eventSource": "iam.amazonaws.com",
"eventName": "DeleteUserPermissionsBoundary",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"userName": "draco"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000100000010",
"eventID": "90000000-0000-4000-8000-000100000011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Defense Impairment

Techniques:
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...