Skip to main content

AWS IAM permission boundary deleted

ID:aws_delete_permission_boundary
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0004:T1484

Description

AlphaSOC detected a removal of an AWS IAM permissions boundary for a user or role using DeleteUserPermissionsBoundary or DeleteRolePermissionsBoundary actions. Permissions boundaries limit an IAM entity's maximum permissions. Removing them can enable privilege escalation.

Impact

Threat actors often attempt to gain higher-level permissions by altering AWS IAM policies. Deleting permissions boundary may allow users or roles to gain excessive privileges, potentially leading to unauthorized access to sensitive resources or data breaches.

Severity

SeverityCondition
Informational
AWS IAM permission boundary was deleted

Investigation and Remediation

Review AWS CloudTrail logs to identify the user responsible for the action and investigate the user or role affected. If this action is unauthorized, reinstate the permissions boundary, revoke any potentially compromised credentials, and review actions taken by the entity after the boundary removal.

Known False Positives

  • Authorized administrators making legitimate changes to IAM policies during user or role management