How can I use permissions boundaries to limit the scope of IAM users and roles, and also prevent privilege escalation?
Original: https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/
Resolution
Use the following example IAM policy to provide these restrictions:
- Any IAM principal created by IAM admins can have full access to AWS resources. The full access to AWS resources depends upon the identity-based policies because permissions boundaries don’t provide permissions on their own.
- The policy restricts IAM principals from accessing AWS Billing and Cost Management related services.
- IAM principals can’t alter the permissions boundary to allow their own permissions to access restricted services.
- IAM admins can’t create IAM principals with more privileges than they already have.
- The IAM principals created by IAM admins can’t create IAM principals with more permissions than IAM admins.
Save this policy as a managed policy named ScopePermissions. Replace YourAccount_ID with your account ID.