Permission Boundary

What it is: A policy that sets the maximum permissions an IAM role/user can have.

What it’s for:

• Delegate IAM creation safely (e.g., allow a team to create roles but not exceed a boundary).
• Prevent privilege escalation.

Key ideas:

• Boundary does NOT grant permissions by itself.
• Effective permissions = (identity policies) INTERSECT (permission boundary).
• Explicit deny still wins.

Exam cues:

• “user has policy but still denied” → boundary may be limiting.
• “allow devs to create roles but only within limits” → permission boundary.

Hard words:

• *maximum* /ˈmæksɪməm/: tối đa
• *intersect* /ˌɪntərˈsekt/: giao nhau
• *escalation* /ˌeskəˈleɪʃn/: leo thang (tăng quyền)