PutRolePermissionsBoundary
AWS
PutRolePermissionsBoundary
Event
Sets a permissions boundary on an IAM role, capping the maximum permissions the role can be granted.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
CloudTrail
Sample Event
Legitimate. Hermione (IAM admin) tightens the permissions boundary on OccamyPipelineRole after a quarterly access review, applying the corp-wide BoundaryForServiceRoles managed policy to cap what the role can ever be granted. Routine but auditable — useful as a “what does normal look like” reference next to a future adversarial PutRolePolicy/PutRolePermissionsBoundary chain (where the boundary is widened to remove constraints).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDAHERM10NE000ADM1N", "arn": "arn:aws:iam::555123456789:user/hermione", "accountId": "555123456789", "accessKeyId": "AKIAHERM10NEEXAMPLE1", "userName": "hermione", "sessionContext": { "attributes": { "creationDate": "2026-04-15T13:02:11Z", "mfaAuthenticated": "true" } } }, "eventTime": "2026-04-15T13:24:46Z", "eventSource": "iam.amazonaws.com", "eventName": "PutRolePermissionsBoundary", "awsRegion": "us-east-1", "sourceIPAddress": "198.51.100.42", "userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/iam.put-role-permissions-boundary", "requestParameters": { "roleName": "OccamyPipelineRole", "permissionsBoundary": "arn:aws:iam::555123456789:policy/BoundaryForServiceRoles" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000110010000", "eventID": "90000000-0000-4000-8000-000110010001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...