From c41b8c64d62c8a492ec5d92f9b4c27fd6540bd30 Mon Sep 17 00:00:00 2001 From: bryans3c Date: Thu, 18 Jun 2026 13:08:13 +0200 Subject: [PATCH 1/7] [New Rule] AWS IAM Permissions Boundary Modified or Removed --- ...ion_iam_permissions_boundary_modified.toml | 140 ++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml new file mode 100644 index 00000000000..0db059a5531 --- /dev/null +++ b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml @@ -0,0 +1,140 @@ +[metadata] +creation_date = "2026/06/18" +integration = ["aws"] +maturity = "production" +updated_date = "2026/06/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies the modification or removal of an IAM permissions boundary on an IAM user or role. A permissions boundary +caps the maximum permissions an identity can have, regardless of its attached identity policies. An adversary who can +delete a boundary (`DeleteUserPermissionsBoundary`, `DeleteRolePermissionsBoundary`) or replace it with a more +permissive one (`PutUserPermissionsBoundary`, `PutRolePermissionsBoundary`) can lift that cap and unlock permissions the +identity's policies already grant, enabling privilege escalation. Boundary changes are infrequent and usually performed +by a small set of administrators or infrastructure-as-code pipelines, so changes by unexpected principals warrant +review. +""" +false_positives = [ + """ + Permissions boundaries are managed by identity/platform teams and infrastructure-as-code pipelines as part of normal + governance. Verify the principal in `aws.cloudtrail.user_identity.arn`, the targeted user or role, and the boundary + policy against approved change records. Known administration roles and deployment automation can be excluded after + validation. + """, +] +from = "now-6m" +index = ["logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS IAM Permissions Boundary Modified or Removed" +note = """## Triage and analysis + +### Investigating AWS IAM Permissions Boundary Modified or Removed + +An IAM permissions boundary is the maximum set of permissions an identity can ever have — even if its identity policies +grant more, the effective permissions are the intersection of the two. Removing a boundary +(`DeleteUserPermissionsBoundary` / `DeleteRolePermissionsBoundary`) or replacing it with a broader one +(`PutUserPermissionsBoundary` / `PutRolePermissionsBoundary`) lifts that cap, so any permissions already present in the +identity's attached policies immediately take effect. This is a recognized privilege-escalation path: an adversary who +can edit a boundary can unlock latent permissions without attaching any new policy. + +#### Possible investigation steps + +- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and + `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to + determine how the change was made (console, CLI, SDK, automation). +- Inspect `aws.cloudtrail.request_parameters` for the targeted `userName`/`roleName` and, for `Put*` operations, the + `permissionsBoundary` policy ARN that was applied. +- Determine the identity's attached identity policies to assess what permissions are now unlocked by the boundary + change (the effective blast radius). +- Confirm whether the change aligns with an approved governance change, onboarding, or deployment. +- Correlate with recent activity by the same principal, such as policy attachment, access key creation, or role + assumption that may indicate an escalation chain. + +### False positive analysis + +- Identity/platform teams and infrastructure-as-code routinely set and update boundaries. Confirm the change is approved + and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. + +### Response and remediation + +- If the change is unauthorized, restore the intended permissions boundary on the affected identity and review what the + identity could access while the boundary was relaxed or absent. +- Rotate or restrict credentials for the principal that made the change if compromise is suspected, and constrain + `iam:PutUserPermissionsBoundary`, `iam:PutRolePermissionsBoundary`, `iam:DeleteUserPermissionsBoundary`, and + `iam:DeleteRolePermissionsBoundary` to a small set of trusted administrators. + +### Additional information + +- [IAM permissions boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) +- [AWS IAM privilege escalation paths](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/) +""" +references = [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html", + "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/", +] +risk_score = 47 +rule_id = "0f5d410c-a594-4cdb-8b48-f36a61838d67" +severity = "medium" +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: "aws.cloudtrail" + and event.provider: "iam.amazonaws.com" + and event.action: ( + "PutUserPermissionsBoundary" or + "PutRolePermissionsBoundary" or + "DeleteUserPermissionsBoundary" or + "DeleteRolePermissionsBoundary" + ) + and event.outcome: "success" + and not aws.cloudtrail.user_identity.type: "AWSService" + and not aws.cloudtrail.user_identity.arn: arn*/terraform + and not source.as.organization.name: (Amazon* or Google*) + and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", +] + From 46056a3b0a935d5255105349cba45a9bfc0768bc Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 18 Jun 2026 15:42:02 +0200 Subject: [PATCH 2/7] Update privilege_escalation_iam_permissions_boundary_modified.toml --- ...ion_iam_permissions_boundary_modified.toml | 30 +++++-------------- 1 file changed, 8 insertions(+), 22 deletions(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml index 0db059a5531..3de73950b8f 100644 --- a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml +++ b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml @@ -32,38 +32,24 @@ note = """## Triage and analysis ### Investigating AWS IAM Permissions Boundary Modified or Removed -An IAM permissions boundary is the maximum set of permissions an identity can ever have — even if its identity policies -grant more, the effective permissions are the intersection of the two. Removing a boundary -(`DeleteUserPermissionsBoundary` / `DeleteRolePermissionsBoundary`) or replacing it with a broader one -(`PutUserPermissionsBoundary` / `PutRolePermissionsBoundary`) lifts that cap, so any permissions already present in the -identity's attached policies immediately take effect. This is a recognized privilege-escalation path: an adversary who -can edit a boundary can unlock latent permissions without attaching any new policy. +An IAM permissions boundary is the maximum set of permissions an identity can ever have — even if its identity policies grant more, the effective permissions are the intersection of the two. Removing a boundary (`DeleteUserPermissionsBoundary` / `DeleteRolePermissionsBoundary`) or replacing it with a broader one (`PutUserPermissionsBoundary` / `PutRolePermissionsBoundary`) lifts that cap, so any permissions already present in the identity's attached policies immediately take effect. This is a recognized privilege-escalation path: an adversary who can edit a boundary can unlock latent permissions without attaching any new policy. #### Possible investigation steps -- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and - `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to - determine how the change was made (console, CLI, SDK, automation). -- Inspect `aws.cloudtrail.request_parameters` for the targeted `userName`/`roleName` and, for `Put*` operations, the - `permissionsBoundary` policy ARN that was applied. -- Determine the identity's attached identity policies to assess what permissions are now unlocked by the boundary - change (the effective blast radius). +- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to determine how the change was made (console, CLI, SDK, automation). +- Inspect `aws.cloudtrail.request_parameters` for the targeted `userName`/`roleName` and, for `Put*` operations, the `permissionsBoundary` policy ARN that was applied. +- Determine the identity's attached identity policies to assess what permissions are now unlocked by the boundary change (the effective blast radius). - Confirm whether the change aligns with an approved governance change, onboarding, or deployment. -- Correlate with recent activity by the same principal, such as policy attachment, access key creation, or role - assumption that may indicate an escalation chain. +- Correlate with recent activity by the same principal, such as policy attachment, access key creation, or role assumption that may indicate an escalation chain. ### False positive analysis -- Identity/platform teams and infrastructure-as-code routinely set and update boundaries. Confirm the change is approved - and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. +- Identity/platform teams and infrastructure-as-code routinely set and update boundaries. Confirm the change is approved and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. ### Response and remediation -- If the change is unauthorized, restore the intended permissions boundary on the affected identity and review what the - identity could access while the boundary was relaxed or absent. -- Rotate or restrict credentials for the principal that made the change if compromise is suspected, and constrain - `iam:PutUserPermissionsBoundary`, `iam:PutRolePermissionsBoundary`, `iam:DeleteUserPermissionsBoundary`, and - `iam:DeleteRolePermissionsBoundary` to a small set of trusted administrators. +- If the change is unauthorized, restore the intended permissions boundary on the affected identity and review what the identity could access while the boundary was relaxed or absent. +- Rotate or restrict credentials for the principal that made the change if compromise is suspected, and constrain `iam:PutUserPermissionsBoundary`, `iam:PutRolePermissionsBoundary`, `iam:DeleteUserPermissionsBoundary`, and `iam:DeleteRolePermissionsBoundary` to a small set of trusted administrators. ### Additional information From a2ad2954b03a94b89cea11fb6d83507199e9c68b Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:10:19 +0200 Subject: [PATCH 3/7] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../privilege_escalation_iam_permissions_boundary_modified.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml index 3de73950b8f..d56fe9a1eb4 100644 --- a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml +++ b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml @@ -88,7 +88,7 @@ event.dataset: "aws.cloudtrail" and event.outcome: "success" and not aws.cloudtrail.user_identity.type: "AWSService" and not aws.cloudtrail.user_identity.arn: arn*/terraform - and not source.as.organization.name: (Amazon* or Google*) + and not source.as.organization.name: (Amazon* or AMAZON* or Google*) and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") ''' From 0467764921f0f7d935835f7bb83a12f13988d360 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 25 Jun 2026 15:57:35 +0200 Subject: [PATCH 4/7] Update rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...rivilege_escalation_iam_permissions_boundary_modified.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml index d56fe9a1eb4..74e94313559 100644 --- a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml +++ b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml @@ -9,8 +9,8 @@ author = ["Elastic"] description = """ Identifies the modification or removal of an IAM permissions boundary on an IAM user or role. A permissions boundary caps the maximum permissions an identity can have, regardless of its attached identity policies. An adversary who can -delete a boundary (`DeleteUserPermissionsBoundary`, `DeleteRolePermissionsBoundary`) or replace it with a more -permissive one (`PutUserPermissionsBoundary`, `PutRolePermissionsBoundary`) can lift that cap and unlock permissions the +delete a boundary ("DeleteUserPermissionsBoundary", "DeleteRolePermissionsBoundary") or replace it with a more +permissive one ("PutUserPermissionsBoundary", "PutRolePermissionsBoundary") can lift that cap and unlock permissions the identity's policies already grant, enabling privilege escalation. Boundary changes are infrequent and usually performed by a small set of administrators or infrastructure-as-code pipelines, so changes by unexpected principals warrant review. From e7d681362bc36779fb413b2d0e8df17dc206f249 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 25 Jun 2026 15:57:56 +0200 Subject: [PATCH 5/7] Update rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- .../privilege_escalation_iam_permissions_boundary_modified.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml index 74e94313559..20c6473d624 100644 --- a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml +++ b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: ( "PutUserPermissionsBoundary" or From 3c1fab00c38d185636094c0e99fcb888abee7f9d Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 26 Jun 2026 15:07:11 +0200 Subject: [PATCH 6/7] Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...rivilege_escalation_iam_permissions_boundary_modified.toml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml index 20c6473d624..1deb13dc33a 100644 --- a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml +++ b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml @@ -51,10 +51,6 @@ An IAM permissions boundary is the maximum set of permissions an identity can ev - If the change is unauthorized, restore the intended permissions boundary on the affected identity and review what the identity could access while the boundary was relaxed or absent. - Rotate or restrict credentials for the principal that made the change if compromise is suspected, and constrain `iam:PutUserPermissionsBoundary`, `iam:PutRolePermissionsBoundary`, `iam:DeleteUserPermissionsBoundary`, and `iam:DeleteRolePermissionsBoundary` to a small set of trusted administrators. -### Additional information - -- [IAM permissions boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) -- [AWS IAM privilege escalation paths](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/) """ references = [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html", From b1f0f958574a59dd65fbd032001a04814a62ee90 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 26 Jun 2026 15:08:44 +0200 Subject: [PATCH 7/7] Update privilege_escalation_iam_permissions_boundary_modified.toml --- ...privilege_escalation_iam_permissions_boundary_modified.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml index 1deb13dc33a..2ba104958a3 100644 --- a/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml +++ b/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml @@ -83,7 +83,8 @@ data_stream.dataset: "aws.cloudtrail" ) and event.outcome: "success" and not aws.cloudtrail.user_identity.type: "AWSService" - and not aws.cloudtrail.user_identity.arn: arn*/terraform + and not user_agent.original: (*terraform* or *pulumi* or *ansible*) + and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*) and not source.as.organization.name: (Amazon* or AMAZON* or Google*) and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") '''