Overview
IAM Permission Boundaries are advanced policies that set the maximum allowed permissions for an IAM user or role. They limit what the entity can do, even if other attached policies grant more. They do not apply to IAM groups. Boundaries are defined using managed policies.
How They Work
For an action to be allowed:
- The IAM policy attached to the entity must grant it.
- The permission boundary must also allow it.
If either denies the action, access is denied.
Effective permissions = Intersection of IAM Policy and Permission Boundary.
Example
If a boundary doesn’t allow
s3:DeleteObject, a user cannot delete objects even if their IAM policy grants that permission.Use Cases
- Delegated Administration: Let junior admins create users, but restrict them from assigning high-level privileges.
- Developer Autonomy with Limits: Developers can create resources, but not modify security settings or escalate privileges.
- Per-User Restrictions: Apply tighter controls to specific users without affecting the entire account.
- Layered Control with AWS Organizations: Combine Permission Boundaries with SCPs for multi-level restrictions—SCPs for organization-wide limits, boundaries for per-entity restrictions.