This created several loopholes and at times specific individuals would escalate their privileges creating a security issue. IAM permission boundaries are designed to restrict permissions on IAM principals, such as roles, such that permissions don’t exceed what was originally intended. Ultimately freeing up the security teams, AWS IAM Permissions Boundaries help to prevent privilege escalations.
In this AWS how-to-guide, we demonstrate how IAM permission boundaries can be used to ensure that IAM users do not misuse their privileges and are prevented from escalating those privileges which could potentially cause a security breach. An example policy document is also provided in our GitHub repository for you to use: https://github.com/iaasacademy/aws-how-to-guide/tree/main/iam-permission-boundaries
An important point to note if you are planning on taking the AWS Certified Solutions Architect (SAA-C03) exam is to understand how IAM policies and permission boundaries are used together. IAM permission boundaries only define the maximum level of permissions an IAM user or role can have. Those users and roles still require an IAM policy to determine what actions they can or cannot perform within the confines of the permission boundary.
The logical intersection of both the permission boundary and the IAM policy ultimately determines what actions an IAM user or role can or cannot perform in your AWS account.