Restricting Policies
Understand how to use permission boundaries and session policies in AWS Identity and Access Management to restrict permissions for IAM entities. Learn when and why to apply these tools to enforce secure and granular access control within your cloud environment.
In this lesson, we’ll discuss two other types of policies that act as upper limits for the IAM entity’s permissions. These advanced optional policies are used when we want to restrict the maximum permissions of an IAM entity.
Permission boundary
Permission boundaries are policies that act as an upper bound on the IAM entity permissions. Any AWS-managed or customer-managed identity-based policy can be used as a permission boundary. When a permission boundary is attached to an IAM entity, it is only able to perform the actions that are allowed in both the attached identity-based policy and the permission policy set for that entity.
When do we need a permission boundary?
Permission boundaries are mostly useful when we want to limit the permissions of an IAM entity created by using an IAM user account. Consider a scenario ...