diff --git a/replication.tf b/replication.tf
index cb0af93c..04bcce3d 100644
--- a/replication.tf
+++ b/replication.tf
@@ -1,8 +1,9 @@
 resource "aws_iam_role" "replication" {
   count = local.replication_enabled ? 1 : 0
 
-  name               = format("%s-replication", module.this.id)
-  assume_role_policy = data.aws_iam_policy_document.replication_sts[0].json
+  name                 = format("%s-replication", module.this.id)
+  assume_role_policy   = data.aws_iam_policy_document.replication_sts[0].json
+  permissions_boundary = var.s3_replication_permission_boundary_arn
 }
 
 data "aws_iam_policy_document" "replication_sts" {
diff --git a/variables.tf b/variables.tf
index 2e73eaf7..c3ffc9a0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -280,6 +280,12 @@ variable "s3_replication_source_roles" {
   description = "Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy)."
 }
 
+variable "s3_replication_permission_boundary_arn" {
+  type        = string
+  default     = null
+  description = "Permission boundary ARN of the IAM replication role. Defaults to null."
+}
+
 variable "bucket_name" {
   type        = string
   default     = null