IAM Permission Boundaries & Policy Evaluation

IAM Permission Boundaries

A Permission Boundary sets the maximum permissions an IAM user or role can ever have — even if their IAM policy allows more.

Supported for users and roles only — NOT groups
It does not grant permissions by itself — it just sets a ceiling

How it works

You need TWO things for a permission to actually work:

The IAM Policy must allow it
The Permission Boundary must also allow it

Both must say yes. If either says no — the action is denied.

Example:

Permission Boundary allows: S3, CloudWatch, EC2

IAM Policy allows: iam:CreateUser

Result: No permissions — because iam:CreateUser is not inside the boundary. Even though the IAM policy allows it, the boundary doesn't — so it's blocked.

Boundary allows: s3:*, cloudwatch:*, ec2:*
IAM Policy allows: iam:CreateUser
Result: DENIED — iam:CreateUser is outside the boundary

Use Cases

Delegate safely — give a junior/non-admin the ability to create IAM users, but cap what permissions those new users can have
Prevent privilege escalation — developers can manage their own permissions but cannot make themselves admin