How do permission boundaries interact with identity policies?

The effective permissions of an IAM entity are the intersection of its identity-based policies and its permission boundary. If an identity policy grants s3:* and the boundary only allows s3:GetObject and s3:ListBucket, the effective permissions are limited to GetObject and ListBucket. Importantly, permission boundaries do not grant permissions — they only limit them. The entity must still have an explicit Allow in its identity policy for any action to be permitted.

How do permission boundaries prevent privilege escalation?

The key pattern is requiring that any IAM role or user created by a delegated administrator must have the same permission boundary attached. You encode this requirement as a condition in the administrator's IAM policy: iam:CreateRole is allowed only if iam:PermissionsBoundary equals a specific boundary policy ARN. This ensures that created roles cannot exceed the boundary's permissions, and since the boundary cannot be removed without explicit permission, escalation is blocked.

Do permission boundaries affect resource-based policies?

No. Permission boundaries only limit identity-based policy permissions. If a resource-based policy (like an S3 bucket policy or SQS queue policy) directly grants access to an IAM entity, the permission boundary does not restrict that access. This is an important distinction — resource-based policies bypass permission boundaries and SCPs for same-account access. For cross-account access, the boundary is still evaluated on the requesting principal's side.

AWS IAM Permission Boundary Builder

IAM & SecurityAWS

Build IAM permission boundary policies to set maximum permission limits for roles and users.

Permission Boundary Configuration

Statement 1

SID (optional)

Effect

Actions (comma-separated)

Resources (comma-separated)

Generated Permission Boundary

Output will appear here...

About This Tool

IAM permission boundaries set the maximum permissions that an IAM entity (user or role) can have, regardless of what identity-based policies are attached. They act as a guardrail — the effective permissions are the intersection of the identity policy and the permission boundary. This is critical for delegated administration scenarios where you allow developers to create IAM roles but want to ensure those roles can never exceed certain privilege levels. The Permission Boundary Builder helps you define boundary policies with correct resource constraints, service limitations, and condition keys that prevent privilege escalation.

When to Use This Tool

•Building a permission boundary that allows developers to create IAM roles for Lambda functions but prevents those roles from accessing IAM, Organizations, or billing services
•Creating boundary policies that restrict self-service role creation to specific resource prefixes (e.g., roles must start with 'dev-')
•Designing permission boundaries that enforce region restrictions so delegated roles can only operate in approved AWS regions
•Generating boundary policies that require all created roles to include the same permission boundary, preventing boundary removal as a privilege escalation vector

Frequently Asked Questions

How do permission boundaries interact with identity policies?: The effective permissions of an IAM entity are the intersection of its identity-based policies and its permission boundary. If an identity policy grants s3:* and the boundary only allows s3:GetObject and s3:ListBucket, the effective permissions are limited to GetObject and ListBucket. Importantly, permission boundaries do not grant permissions — they only limit them. The entity must still have an explicit Allow in its identity policy for any action to be permitted.
How do permission boundaries prevent privilege escalation?: The key pattern is requiring that any IAM role or user created by a delegated administrator must have the same permission boundary attached. You encode this requirement as a condition in the administrator's IAM policy: iam:CreateRole is allowed only if iam:PermissionsBoundary equals a specific boundary policy ARN. This ensures that created roles cannot exceed the boundary's permissions, and since the boundary cannot be removed without explicit permission, escalation is blocked.
Do permission boundaries affect resource-based policies?: No. Permission boundaries only limit identity-based policy permissions. If a resource-based policy (like an S3 bucket policy or SQS queue policy) directly grants access to an IAM entity, the permission boundary does not restrict that access. This is an important distinction — resource-based policies bypass permission boundaries and SCPs for same-account access. For cross-account access, the boundary is still evaluated on the requesting principal's side.

Related Learning Guides

AWS IAM Best Practices25 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.