Ensure that permissions boundaries are set for explicit Amazon IAM identities in order to control the maximum permissions that these can have. Permissions boundaries are IAM restrictions (similar to Organization Service Control Policies) that define the maximum allowed permissions for an IAM user or role available within your AWS account. Also, this feature allows others to perform tasks on your behalf within a specific boundary of permissions. As an IAM administrator, you can define one or more permissions boundaries using managed policies and allow another user in your organization to create a principal with this boundary. The trusted user can then attach a permissions policy to this principal. However, the effective permissions of the newly created principal are at the intersection of the permissions boundary and permissions policy, therefore the principal cannot exceed the boundary that you defined. Specifically, you can grant another user permission to create IAM roles and assign permissions. Using permission boundary, you can ensure that those new IAM roles can only access certain actions and resources (e.g. launch EC2 instances) in a particular AWS region (e.g. Asia Pacific - Sydney region).
As your organization grows, you may have to allow your trusted employees to configure and manage IAM permissions in order to help your organization to scale permission management and move workloads faster to AWS cloud. For example, you might need to grant a developer the ability to create and manage permissions for an IAM role required to run a web application on Amazon EC2. This ability is quite powerful and can be used inappropriately or accidentally to attach an administrator access policy to obtain full access to all resources and services in an AWS account. With permissions boundaries you can easily control the maximum permissions that your employees can grant to the IAM principals (i.e. users and roles) that they create and manage.
To determine if the necessary IAM identities within your AWS account have set permissions boundaries to control the maximum permissions that these can acquire, perform the following actions:
Remediation / Resolution
To set up permissions boundaries to specific IAM identities within your AWS account in order to control the maximum permissions that these entities can get, perform the following actions:Note: A permissions boundary limits the maximum permissions, but does not grant access on its own. Permissions policies alone provide permission and can be limited by the permissions boundaries. The AWS IAM identities presented as examples in this conformity rule have attached permissions policies that require limitations (i.e. permissions boundary).
- AWS Documentation
- Identities (Users, Groups, and Roles)
- IAM Users
- Managing IAM Users
- IAM Roles
- Managing IAM Roles
- Access Management
- Permissions Boundaries for IAM Identities
- Policy Evaluation Logic
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Set Permissions Boundaries for IAM Identities
Risk level: Medium