Open in app

Sign in

Write

Sign in

AWS IAM Permission Boundaries

Limiting the Privileges of IAM Entities

Alex Rodriguez
Geek Culture

--

Hello, World! AWS developers usually only need access to a handful of AWS services to fulfill their project requirements. For example, a web app developer might only need access to AWS IAM, cloudwatch, S3, EC2, and CodeCommit. Granting access to other services beyond whats necessary for the scope of a project, introduces permission-related risks in an AWS environment that can have a devastating impact on the CIA of the resources hosted on AWS if an account with excess privileges is compromised.

Adhering to the least privilege principle is an effective way of preventing the creation shadow admins or permissions creep. One way to implement the least privilege principle within IAM is to use permission boundaries. In this blog posts, we’ll dive into what permission boundaries are, and how we can use them to limit access to AWS resources. Let’s do it!

Terminology

  • IAM Entity — An IAM user or role
  • Policy — a document that defines an IAM entities permissions in AWS

Permissions Boundary

Permission boundaries allow account administrators to set the maximum amount of permissions an IAM entity can have regardless of the permissions defined in the identity-based policy

--

--

Alex Rodriguez
Geek Culture

Written by Alex Rodriguez

2.1K Followers
Writer for

I am an Offensive Security Engineer @ Amazon who writes about cybersecurity and anything related to technology. Opinions are my own.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams