Explaining Permission Boundaries in AWS
The aim of this page📝 is to explain permission boundaries in AWS. I am interested as I am managing accounts for clients and to make our service work, a certain policy may be applied. Clients may find that too liberal and define their own permission boundary based on their concerns and security focus.
2 min readAug 16, 2023
- AWS supports the concept of permissions boundaries for IAM entities (users or roles).
- The permissions boundary uses an AWS or customer-managed policy to restrict access.
- A permissions boundary alone doesn’t grant access to anything.
- Some use cases for permissions boundaries include limiting privileges available to IAM roles created by developers and restricting external access of your AWS users and roles.
- An identity-based policy is a type of policy that is attached to an IAM identity (user, group, or role). These policies let you specify what that identity can do (its permissions).
- In general, there are 6 types of policies
- To set a permissions boundary for an IAM entity, you can use either an AWS-managed policy or a customer-managed policy.
- That policy limits the maximum permissions for the user or role.
- To set a permissions boundary for an IAM entity in the AWS Management Console, you can follow these steps:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, choose Users or Roles, depending on the type of entity you want to set a permissions boundary for.
- Choose the name of the user or role to view its summary page.
- Choose the Permissions tab.
- Expand the Set permissions boundary section, and choose Use a permissions boundary to control the maximum role permissions.
- In the search field, enter the name of the policy you want to use as a permissions boundary, and then choose the radio button for your policy.
- https://youtu.be/t8P8ffqWrsY explains it well — policies allow; sometimes you need to subtract from that. This is what permission boundary is good for
- In Snowplow, we have a required policy, but some clients want to subtract from that — permission boundary is one way to go about that (clients create, we validate, and attach to requested resources via Terraform)
