AWSGlossary

IAM Permissions Boundary: What It Is and When to Use It

Definition

An AWS IAM Permissions Boundary is an advanced feature that sets the maximum permissions an identity-based policy can grant to an AWS Identity and Access Management (IAM) entity (a user or role). It does not grant permissions on its own; instead, it acts as a guardrail to control the maximum possible privileges for an identity, preventing accidental or malicious privilege escalation.

How It Works

Understanding a permissions boundary requires understanding the AWS IAM policy evaluation logic. The effective permissions of an IAM entity (a user or role) that has a permissions boundary are the intersection of its identity-based policies and its permissions boundary. In other words, for an action to be allowed, it must be permitted by both the identity-based policy (e.g., an inline or managed policy attached to the role) and the permissions boundary.

Think of it like this:

  • Identity-Based Policy: This policy grants permissions. It says, "You are allowed to do X, Y, and Z."
  • Permissions Boundary: This policy constrains those permissions. It says, "No matter what other policies say, you can never do more than A, B, and C."

The resulting, or effective, permission is what is common to both sets. If the identity policy allows ec2:* and s3:*, but the permissions boundary only allows s3:* and dynamodb:*, the user can only perform s3:* actions.

The overall IAM policy evaluation logic follows a specific order:

  1. Explicit Deny: If any policy (identity, resource, SCP, boundary, etc.) contains an explicit Deny for the action, the request is immediately denied.
  2. Service Control Policies (SCPs): At the AWS Organizations level, SCPs set broad guardrails for what is permissible in an account. The action must be allowed by the SCP.
  3. Resource-Based Policies: Policies attached directly to resources (like an Amazon S3 bucket policy) can grant access.
  4. Identity-Based Policies: Policies attached to the user or role making the request.
  5. IAM Permissions Boundary: The boundary policy is checked. The permissions granted in the identity-based policy must fall within the scope of what the boundary allows.
  6. Session Policies: If a role is assumed with a session policy, this further restricts permissions for that specific session.

If at the end of this evaluation there is no explicit Allow, the request is implicitly denied by default.

Key Features and Limits

  • Single Boundary: An IAM user or role can have only one permissions boundary attached at a time.
  • Managed Policy Requirement: The policy used as a boundary must be a managed policy (either AWS-managed or customer-managed). Inline policies cannot be used as boundaries.
  • Does Not Grant Permissions: A permissions boundary only filters or limits permissions; it never adds them. An Allow statement in a boundary does not grant access if it's not also granted by an identity-based policy.
  • Policy Size Limits: As boundaries are managed policies, they are subject to standard IAM policy size limits. For customer-managed policies, this is typically 6,144 characters.
  • Role Trust Policy Length: As of early 2026, the maximum length for a role's trust policy has been increased to 8,192 characters.
  • Managed Policies per Role: An IAM role can have up to 25 managed policies attached (this includes the single permissions boundary).

Common Use Cases

  1. Safely Delegating IAM Administration: This is the primary use case. A central security team can allow developers to create and manage their own IAM roles and policies for their applications. By enforcing that any role a developer creates must have a specific permissions boundary attached, the security team ensures that developers cannot create roles with permissions exceeding that boundary, thus preventing privilege escalation.
  2. Securing Automated CI/CD Pipelines: A role used by a CI/CD service (like AWS CodePipeline) can be restricted with a permissions boundary. This ensures that even if the pipeline's logic is compromised, the role's permissions are capped, preventing it from accessing or modifying resources outside of its intended scope (e.g., it can deploy to a specific Amazon ECS cluster but cannot alter IAM users or access sensitive data in Amazon S3).
  3. Enforcing Least Privilege in Sandbox Accounts: In development or training accounts, you can assign roles to users with a permissions boundary that allows experimentation with a wide range of services (e.g., Amazon EC2, Amazon S3) but explicitly denies access to production resources, modifying security configurations, or using expensive services.
  4. Controlling Third-Party Access: When granting a third-party tool or vendor access to your AWS account via an IAM role, a permissions boundary provides an extra layer of security. It guarantees that the third party's permissions can never exceed the maximum scope you have defined, regardless of the identity policies they might try to attach to the role.

Pricing Model

AWS Identity and Access Management (IAM), including the use of features like permissions boundaries, is offered at no additional charge. You are only billed for the usage of other AWS services by the IAM principals (users and roles) you create.

Pros and Cons

Pros:

  • Prevents Privilege Escalation: Its core strength is preventing users and services from granting themselves more permissions than intended.
  • Enables Safe Delegation: Allows central IT/security teams to delegate administrative tasks to developers and teams without losing ultimate control over maximum permissions.
  • Enforces Security Guardrails: Acts as a powerful, fine-grained guardrail on specific identities, complementing the broader, account-level guardrails of SCPs.

Cons:

  • Increases Complexity: Adds another layer to policy evaluation that can make troubleshooting permissions issues more difficult. A developer might be confused why a permission isn't working, not realizing a boundary is restricting it.
  • Potential for Misconfiguration: An overly restrictive boundary can block legitimate actions, while a poorly written one might fail to prevent privilege escalation. For example, if the boundary doesn't prevent a user from modifying the boundary policy itself, the feature is ineffective.
  • Does Not Grant Permissions: This is a frequent point of confusion. Administrators must remember to grant permissions via an identity-based policy in addition to setting the boundary.

Comparison with Alternatives

  • vs. Service Control Policies (SCPs):

    • Scope: SCPs are a feature of AWS Organizations and apply to entire AWS accounts or Organizational Units (OUs). A permissions boundary applies to a specific user or role within an account.
    • Effect: Both act as guardrails that set maximum permissions. An action must be allowed by the SCP, the permissions boundary (if present), and the identity policy to be effective.
    • Use Case: Use SCPs for broad, organization-wide rules (e.g., "No one in this account can use services outside the eu-west-1 region"). Use permissions boundaries for granular delegation for specific roles (e.g., "This developer role can create other roles, but only for Lambda and S3 access").

  • vs. Session Policies:

    • Scope: A permissions boundary is persistently attached to a user or role. A session policy is a temporary policy passed programmatically when a role is assumed, and it is only valid for that single session.
    • Effect: Session policies further restrict permissions for a temporary session. The effective permissions become the intersection of the role's identity policies, its permissions boundary, AND the session policy.
    • Use Case: Use session policies when you want to dynamically reduce a role's permissions for a specific task. For example, a role might have broad read/write access to an S3 bucket, but when a user assumes it to view a specific file, you can pass a session policy that restricts them to read-only access on just that one object key.

Exam Relevance

IAM Permissions Boundaries are a key topic in several AWS certification exams, particularly those focused on security and architecture.

  • AWS Certified Solutions Architect - Associate (SAA-C03) & Professional (SAP-C02): Questions often test your understanding of the policy evaluation logic and the primary use case of safely delegating permissions to developers.
  • AWS Certified Security - Specialty (SCS-C02): Expect in-depth questions on how permissions boundaries prevent privilege escalation, how they differ from SCPs, and how to construct policies to enforce them correctly.

For any exam, you must know that a permissions boundary sets maximum permissions but does not grant them, and that the effective permissions are the intersection of the boundary and the identity policies.

Frequently Asked Questions

Q: Does an IAM Permissions Boundary grant permissions?

A: No, it absolutely does not. A permissions boundary is only a guardrail; it sets the maximum possible permissions for a user or role. The entity must still be granted permissions via a separate identity-based policy (like an AWS-managed or customer-managed policy). The final effective permissions are the intersection of what both the identity policy and the boundary allow.

Q: What happens if a permission is allowed by an identity policy but not by the permissions boundary?

A: The permission is denied. For an action to be allowed, it must be explicitly permitted by the identity-based policy and also fall within the scope of permissions allowed by the boundary.

Q: How is a permissions boundary different from a Service Control Policy (SCP)?

A: The primary difference is scope. An SCP applies broadly to an entire AWS account or a group of accounts (an OU) within AWS Organizations. A permissions boundary is a much more granular control that applies only to the specific IAM user or IAM role it is attached to.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/26/2026 / Updated: 5/26/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

IAM Access Analyzer: How It Works & When to Use It

IAM Access Analyzer formally verifies policies to identify and remediate unintended resource access. Learn how it monitors S3 buckets, IAM roles, and KMS keys for external sharing.

AWS CloudHSM: Secure Key Management in the Cloud

AWS CloudHSM offers dedicated HSMs for secure key generation and storage, meeting FIPS 140-2 Level 3 compliance. Learn how it works and when to use it.

AWS Certificate Manager (ACM): Simplify SSL/TLS Certificates

AWS Certificate Manager (ACM) simplifies SSL/TLS certificate management for your AWS apps. Automate provisioning, renewal, and deployment. Learn how it works.

Multi-Factor Authentication (MFA): Secure Your AWS Account

Multi-Factor Authentication (MFA) adds a vital security layer to AWS IAM, requiring a second factor beyond passwords. Reduce unauthorized access risk. Learn how it works.

View all Security terms →