IAM Permission Boundaries

  • AWS supports permissions boundaries for IAM entities (users or roles).

  • A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.

  • An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

  • When you use a policy to set the permissions boundary for a user, it limits the user's permissions but does not provide permissions on its own.

  • Resource-based policies:

  • Organizations SCPs - SCPs are applied to an entire AWS account. They limit permissions for every request made by a principal within the account. An IAM entity (user or role) can make a request that is affected by an SCP, a permissions boundary, and an identity-based policy. An explicit deny in any of these policies overrides the allow:

PreviousConfiguring MFA-protected API accessNextCloudHSM

Last updated

Was this helpful?