Skip to content

PutUserPermissionsBoundary

AWS

PutUserPermissionsBoundary

service: AWS - IAM
techniques:

Event

Sets a permissions boundary on an IAM user, limiting the maximum permissions they can ever be granted.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

CloudTrail

Sample Event

Adversarial. Draco applies a permissive boundary arn:aws:iam::aws:policy/AdministratorAccess to his own user draco — effectively replacing whatever boundary was already in place. AWS does not require a boundary to be more restrictive than attached policies, so an adversary with iam:PutUserPermissionsBoundary who has the right managed-policy choices available can use this to maintain admin-equivalent access regardless of what attached policies say. Same session as the chained Draco activity.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:34:07Z",
"eventSource": "iam.amazonaws.com",
"eventName": "PutUserPermissionsBoundary",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"userName": "draco",
"permissionsBoundary": "arn:aws:iam::aws:policy/AdministratorAccess"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000110011000",
"eventID": "90000000-0000-4000-8000-000110011001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...