A Permissions Boundary is an advanced IAM feature that sets the MAXIMUM permissions an IAM entity (user or role) can ever have. Even if an identity-based policy grants broader permissions, the boundary limits what is actually effective.
Effective Permissions =
Identity-Based Policy
AND
Permissions Boundary
Example:
Identity Policy: Allow ec2:*, s3:*, rds:*
Permissions Boundary: Allow ec2:*, s3:*
Effective Permissions: ec2:*, s3:* (RDS is blocked by boundary)You want to allow a developer to create IAM roles for their Lambda functions, but prevent them from creating roles with more permissions than they themselves have.
# Admin creates developer user with a Permissions Boundary
# The boundary prevents the developer from creating roles
# that exceed their own permissions
# Developer can create Lambda execution roles, but:
# - Cannot create roles with AdministratorAccess
# - Cannot grant permissions they do not have themselves
# This prevents privilege escalation attacks| Feature | Permissions Boundary | SCP |
|---|---|---|
| Applies to | Specific IAM users or roles | Entire AWS accounts or OUs |
| Set by | IAM admin in the same account | Organization admin |
| Purpose | Limit individual identity permissions | Limit account-level permissions |
| Grants permissions? | No — only limits | No — only limits |