Detects AWS IAM permissions boundary modifications or removals on IAM users or roles by analyzing CloudTrail events. The permissions boundary limits the maximum permissions an identity can obtain; deleting a boundary (DeleteUserPermissionsBoundary/DeleteRolePermissionsBoundary) or widening it (PutUserPermissionsBoundary/PutRolePermissionsBoundary) can immediately lift that cap and enable privileges under existing identity policies. The rule triggers on successful Put/Delete boundary operations within the last 6 minutes (as ingested) and excludes actions performed by AWS services, as well as common IaC automation tools (Terraform, Pulumi, Ansible) and certain AWS change channels (CloudFormation, Service Catalog) to reduce false positives. It leverages fields such as aws.cloudtrail.user_identity.arn/type/session_issuer.arn, aws.cloudtrail.request_parameters (userName/roleName and permissionsBoundary), and event.action to identify the actor, target, and boundary policy involved. The suspected activity maps to MITRE ATT&CK T1098 (Account Manipulation) under Privilege Escalation (TA0004). Investigations should verify the actor’s identity, review change records, assess the boundary’s effect on access, and confirm alignment with governance or deployment activity. Triage should consider routine boundary management by administrators or automation and exclude known trusted principals. If unauthorized, restore the intended boundary, review the identity’s access, rotate credentials if needed, and restrict IAM boundary modification actions to a small set of trusted admins.