Skip to content

PutRolePermissionsBoundary

AWS

PutRolePermissionsBoundary

service: AWS - IAM
techniques:

Event

Sets a permissions boundary on an IAM role, capping the maximum permissions the role can be granted.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

CloudTrail

Sample Event

Legitimate. Hermione (IAM admin) tightens the permissions boundary on OccamyPipelineRole after a quarterly access review, applying the corp-wide BoundaryForServiceRoles managed policy to cap what the role can ever be granted. Routine but auditable — useful as a “what does normal look like” reference next to a future adversarial PutRolePolicy/PutRolePermissionsBoundary chain (where the boundary is widened to remove constraints).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAHERM10NE000ADM1N",
"arn": "arn:aws:iam::555123456789:user/hermione",
"accountId": "555123456789",
"accessKeyId": "AKIAHERM10NEEXAMPLE1",
"userName": "hermione",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T13:02:11Z",
"mfaAuthenticated": "true"
}
}
},
"eventTime": "2026-04-15T13:24:46Z",
"eventSource": "iam.amazonaws.com",
"eventName": "PutRolePermissionsBoundary",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.42",
"userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/iam.put-role-permissions-boundary",
"requestParameters": {
"roleName": "OccamyPipelineRole",
"permissionsBoundary": "arn:aws:iam::555123456789:policy/BoundaryForServiceRoles"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000110010000",
"eventID": "90000000-0000-4000-8000-000110010001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...