What is IAM Permissions Boundary?
A permissions boundary is an advanced policy that sets the maximum permissions an IAM user or role can ever have, regardless of its attached policies.
A permissions boundary does not grant anything. It caps. The effective permissions of an identity are the intersection of its permissions policies and its boundary: an action is allowed only if both permit it. This makes boundaries the key control for safe delegation — you can let a team create their own roles while guaranteeing those roles can never exceed the boundary.
Boundaries are why several privilege-escalation paths are survivable. Even if an attacker attaches AdministratorAccess to themselves, their effective permissions are still clamped to whatever the boundary allows.
Common mistake
Granting permission-management actions (iam:CreatePolicyVersion, iam:AttachUserPolicy, iam:PutUserPolicy) without also enforcing a permissions boundary leaves the identity able to grant itself more than intended.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.