> AWS supports _permissions boundaries_ for [[AWS IAM|IAM]] entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. --- ## References - [Permissions Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) - [Using permissions boundaries for AWS Lambda applications](https://docs.aws.amazon.com/lambda/latest/dg/permissions-boundary.html) - [[AWS SAM]] allows a `PermissionsBoundary` to be defined in the `Global` context so that inidividual IAM roles created for each function defined in the template will have the permissions boundary attached to it. - [How can I use permissions boundaries to limit the scope of IAM users and roles and prevent privilege escalation?](https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/) - https://aws.amazon.com/premiumsupport/knowledge-center/lambda-sam-template-permissions/ --- tags: