permissions_boundary
ARN of the policy to use as a permissions boundary. **What is a permissions boundary?** A permissions boundary sets the maximum permissions a role can have, regardless of what policies are attached. The effective permissions are the intersection of the identity-based policies and the boundary. **Use cases:** - Delegate role creation to developers while limiting maximum permissions - Enforce organization-wide security controls - Prevent privilege escalation in multi-tenant environments **Example boundary policy:** A boundary that prevents IAM modifications: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "*" } ] } ``` **Best practices:** - Apply boundaries to all roles created by delegated administrators - Include the boundary in the boundary policy itself to prevent removal - Test thoroughly - boundaries can cause unexpected permission denials
Permissions Boundaries
Permissions boundaries limit the maximum permissions a role can have.
Best Practices
- Use for delegated administration
- Enforce organizational security policies
- Common in enterprise environments
Full Module Example
module "iam_role" {
source = "registry.patterneddesigns.ca/patterneddesigns/iam-role/aws"
version = "0.1.0"
# permissions_boundary
permissions_boundary = "..."
# Other required inputs
name = "..."
}