====== Permission Boundary ======

**What it is:** A policy that sets the **maximum permissions** an IAM role/user can have.

**What it’s for:**
  * Delegate IAM creation safely (e.g., allow a team to create roles but not exceed a boundary).
  * Prevent privilege escalation.

**Key ideas:**
  * Boundary does NOT grant permissions by itself.
  * Effective permissions = (identity policies) INTERSECT (permission boundary).
  * Explicit deny still wins.

**Exam cues:**
  * “user has policy but still denied” → boundary may be limiting.
  * “allow devs to create roles but only within limits” → permission boundary.

**Hard words:**
  * *maximum* /ˈmæksɪməm/: tối đa
  * *intersect* /ˌɪntərˈsekt/: giao nhau
  * *escalation* /ˌeskəˈleɪʃn/: leo thang (tăng quyền)