Restricting Policies
Learn how to set an upper bound on the IAM policies.
In this lesson, we’ll discuss two other types of policies that act as upper limits for the IAM entity’s permissions. These advanced optional policies are used when we want to restrict the maximum permissions of an IAM entity.
Permission boundary
Permission boundaries are policies that act as an upper bound on the IAM entity permissions. Any AWS-managed or customer-managed identity-based policy can be used as a permission boundary. When a permission boundary is attached to an IAM entity, it is only able to perform the actions that are allowed in both the attached identity-based policy and the permission policy set for that entity.
When do we need a permission boundary?
Permission boundaries are mostly useful when we want to limit the permissions of an IAM entity created by using an IAM user account. Consider a scenario ...