What is a Permissions Boundary?


What is a Permissions Boundary?

A permissions boundary allows you to set the maximum permissions for your AWS accounts by controlling effective permissions. It's a best practice to only provide users with enough access to perform their jobs (this is known as the Principle of Least Privilege), and permissions boundaries help you accomplish this.

Policies in AWS often overlap. Your AWS IAM policies, AWS SCPs, and permissions boundaries all control an entity's (i.e. a user, user group, or role) effective permissions, or what they can actually do in the cloud. A permissions boundary helps define the limit on an entity's permission as the intersection of policy types.

For example, if a user has an IAM policy allowing them to manage Amazon S3 and AWS CloudWatch, they can manage those two services. But if you set a permissions boundary allowing their maximum permissions to manage Amazon S3, they won't be able to manage AWS CloudWatch-- even with an IAM policy allowing it. Nor will they be able to manage any service unnamed by either policy. Similarly, if the permission boundary lets the user manage Amazon S3 and AWS CloudWatch, but the IAM policy denies management of AWS CloudWatch, they also won't be able to manage AWS CloudWatch.

Thus, the effective permissions are the intersection of their AWS IAM policies and their permission boundaries. Denial of an action in either of these policies overrides allowance in the other.


Things get more complicated when SCPs are involved as well. If an identity-based policy, a permissions boundary, and an organization's SCP are all applied to the same entity, the request is only allowed if all 3 policy types allow it.

Read more about permissions boundaries, how policies intersect, and view sample permissions boundaries on the AWS permissions boundaries page.

In Kion, you can create, view, edit, and delete permissions boundaries the same way you would any other AWS IAM policy.

What next?