What a Permission Boundary Limits
Understand the maximum permissions an identity can ever have.
Setting a Ceiling
A permission boundary is an advanced IAM feature that sets the maximum permissions a user or role can ever have. It does not grant anything by itself; it caps what identity-based policies can effectively allow. Permission boundaries are a favorite exam topic because they enable safe delegation of permission management.
Boundary vs Identity Policy
An identity-based policy grants permissions; a permission boundary limits them. The effective permissions are the intersection of the two: an action is allowed only if both the identity policy and the boundary permit it. A boundary can shrink but never widen what the identity policy grants.
All lessons in this course
- What a Permission Boundary Limits
- Delegating Role Creation Safely
- Organizations, OUs, and SCP Strategy
- How SCPs Combine with IAM Permissions