AWS IAM permission boundary deleted
Description
AlphaSOC detected a removal of an AWS IAM permissions boundary for a user or role using DeleteUserPermissionsBoundary or DeleteRolePermissionsBoundary actions. Permissions boundaries limit an IAM entity's maximum permissions. Removing them can enable privilege escalation.
Impact
Threat actors often attempt to gain higher-level permissions by altering AWS IAM policies. Deleting permissions boundary may allow users or roles to gain excessive privileges, potentially leading to unauthorized access to sensitive resources or data breaches.
Severity
Severity | Condition |
---|---|
Informational | AWS IAM permission boundary was deleted |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user responsible for the action and investigate the user or role affected. If this action is unauthorized, reinstate the permissions boundary, revoke any potentially compromised credentials, and review actions taken by the entity after the boundary removal.
Known False Positives
- Authorized administrators making legitimate changes to IAM policies during user or role management