PutUserPermissionsBoundary
AWS
PutUserPermissionsBoundary
Event
Sets a permissions boundary on an IAM user, limiting the maximum permissions they can ever be granted.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
CloudTrail
Sample Event
Adversarial. Draco applies a permissive boundary arn:aws:iam::aws:policy/AdministratorAccess to his own user draco — effectively replacing whatever boundary was already in place. AWS does not require a boundary to be more restrictive than attached policies, so an adversary with iam:PutUserPermissionsBoundary who has the right managed-policy choices available can use this to maintain admin-equivalent access regardless of what attached policies say. Same session as the chained Draco activity.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:34:07Z", "eventSource": "iam.amazonaws.com", "eventName": "PutUserPermissionsBoundary", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "userName": "draco", "permissionsBoundary": "arn:aws:iam::aws:policy/AdministratorAccess" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000110011000", "eventID": "90000000-0000-4000-8000-000110011001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...