Permission Boundary Setup
Prerequisites
- AWS account with IAM administrative access
- Terraform >= 1.0
- Understanding of IAM permission boundaries
Step 1: Create the Permission Boundary
module "developer_boundary" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "developer-permission-boundary"
policy_type = "boundary"
allowed_services = [
"s3",
"dynamodb",
"lambda",
"sqs",
"sns",
"logs",
"xray"
]
denied_actions = [
# Prevent IAM escalation
"iam:CreateUser",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
# Prevent boundary removal
"iam:DeleteRolePermissionsBoundary",
"iam:PutRolePermissionsBoundary",
# Prevent organization changes
"organizations:*"
]
}
output "boundary_arn" {
value = module.developer_boundary.policy_arn
}
Step 2: Apply the Boundary to Developer Roles
resource "aws_iam_role" "developer_admin" {
name = "developer-iam-admin"
permissions_boundary = module.developer_boundary.policy_arn
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::123456789012:root"
}
Action = "sts:AssumeRole"
}]
})
}
# Grant IAM permissions within the boundary
resource "aws_iam_role_policy_attachment" "developer_admin" {
role = aws_iam_role.developer_admin.name
policy_arn = "arn:aws:iam::aws:policy/IAMFullAccess"
}
Step 3: Deploy and Test
terraform apply
Step 4: Verify Boundary Enforcement
Assume the developer role and attempt operations:
# This should succeed (within boundary)
aws lambda create-function --function-name test ...
# This should fail (outside boundary)
aws iam create-user --user-name test-user
# Error: User: ... is not authorized to perform: iam:CreateUser
Key Points
- Permission boundaries cap the maximum permissions, even if the role has broader policies attached
- Use boundaries to safely delegate IAM administration
- Developers can create roles but only with permissions within their boundary