How can I use permissions boundaries to limit the scope of IAM users and roles, and also prevent privilege escalation?

Resolution

Use the following example IAM policy to provide these restrictions:

Any IAM principal created by IAM admins can have full access to AWS resources. The full access to AWS resources depends upon the identity-based policies because permissions boundaries don’t provide permissions on their own.
The policy restricts IAM principals from accessing AWS Billing and Cost Management related services.
IAM principals can’t alter the permissions boundary to allow their own permissions to access restricted services.
IAM admins can’t create IAM principals with more privileges than they already have.
The IAM principals created by IAM admins can’t create IAM principals with more permissions than IAM admins.

Save this policy as a managed policy named ScopePermissions. Replace YourAccount_ID with your account ID.