AWS IAM Permissions Boundaries help to prevent privilege escalations

IAM policies are designed to restrict what an IAM user or role can do in your AWS account. These policies and permissions were usually created and managed by centralized security teams and often this would be a bottleneck in getting all your IAM users and roles correctly configured following the principle of least privileges. IAM users would raise support tickets to grant them additional access as and when their jobs demanded it. Sometimes, security teams would give those individuals additional privileges just so that they could cope with the level of inbound requests. This created several loopholes and at times specific individuals would escalate their privileges creating a security issue. IAM permission boundaries are designed to restrict permissions on IAM principals, such as roles, such that permissions don’t exceed what was originally intended. Ultimately freeing up the security teams, AWS IAM Permissions Boundaries help to prevent privilege escalations.

In this AWS how-to-guide, we demonstrate how IAM permission boundaries can be used to ensure that IAM users do not misuse their privileges and are prevented from escalating those privileges which could potentially cause a security breach. An example policy document is also provided in our GitHub repository for you to use:

An important point to note if you are planning on taking the AWS Certified Solutions Architect (SAA-C03) exam is to understand how IAM policies and permission boundaries are used together. IAM permission boundaries only define the maximum level of permissions an IAM user or role can have. Those users and roles still require an IAM policy to determine what actions they can or cannot perform within the confines of the permission boundary.

The logical intersection of both the permission boundary and the IAM policy ultimately determines what actions an IAM user or role can or cannot perform in your AWS account.