Delegating Role Creation Safely

Teams move faster when they can create their own IAM roles and policies, but unrestricted IAM access is dangerous: a developer could grant themselves administrator rights. The challenge is letting teams build roles while guaranteeing those roles stay within safe limits. Permission boundaries make this possible, a frequently tested exam scenario.

Without guardrails, giving someone iam:CreateRole and iam:AttachRolePolicy is effectively giving them admin. They could create a role with AdministratorAccess and assume it. This privilege-escalation path is exactly what safe delegation must close while still allowing legitimate role creation.