diff --git a/manifests/cf-manifest/operations.d/750-s3-broker.yml b/manifests/cf-manifest/operations.d/750-s3-broker.yml
index fbadfa7226..210f5b4ee2 100644
--- a/manifests/cf-manifest/operations.d/750-s3-broker.yml
+++ b/manifests/cf-manifest/operations.d/750-s3-broker.yml
@@ -4,9 +4,9 @@
   path: /releases/-
   value:
     name: s3-broker
-    version: 0.0.1697125911
-    url: https://s3-eu-west-1.amazonaws.com/gds-paas-build-releases/s3-broker-0.0.1697125911.tgz
-    sha1: 2381f51e7878ba039c26b7b72be7ca2acce5e01a
+    version: 0.0.1697719228
+    url: https://s3-eu-west-1.amazonaws.com/gds-paas-build-releases/s3-broker-0.0.1697719228.tgz
+    sha1: 84c0d4c893fc36ce130e4c77895d44e4fb961e3c
 
 - type: replace
   path: /addons/name=loggregator_agent/exclude/jobs/-
@@ -40,6 +40,7 @@
             iam_user_path: "/paas-s3-broker/"
             iam_ip_restriction_policy_arn: "((terraform_outputs_s3_broker_ip_restriction_policy_arn))"
             iam_common_user_policy_arn: "((terraform_outputs_s3_broker_common_user_policy_arn))"
+            iam_user_permissions_boundary_arn: "((terraform_outputs_s3_broker_user_permissions_boundary_arn))"
             deploy_environment: "((environment))"
             tls: ((secrets_s3_broker_tls_cert))
             locket:
diff --git a/terraform/cloudfoundry/outputs.tf b/terraform/cloudfoundry/outputs.tf
index f3be0dd80a..4c19612780 100644
--- a/terraform/cloudfoundry/outputs.tf
+++ b/terraform/cloudfoundry/outputs.tf
@@ -149,6 +149,10 @@ output "s3_broker_common_user_policy_arn" {
   value = aws_iam_policy.s3_broker_user_common.arn
 }
 
+output "s3_broker_user_permissions_boundary_arn" {
+  value = aws_iam_policy.s3_broker_user_permissions_boundary.arn
+}
+
 output "restrict_to_local_ips_policy_arn" {
   value = aws_iam_policy.restrict_to_local_ips.arn
 }
diff --git a/terraform/cloudfoundry/s3_broker.tf b/terraform/cloudfoundry/s3_broker.tf
index 869a351a19..6de1ccb7c0 100644
--- a/terraform/cloudfoundry/s3_broker.tf
+++ b/terraform/cloudfoundry/s3_broker.tf
@@ -55,3 +55,7 @@ resource "aws_iam_policy" "s3_broker_user_common" {
   name        = "${var.env}S3BrokerUserCommon"
   description = "Common policy for all S3 broker IAM users: allows access to all S3 resources not owned by our AWS account"
 }
+
+data "aws_iam_policy" "s3_broker_user_permissions_boundary" {
+  name = "S3BrokerUserPermissionsBoundary"
+}