IAM permission boundary
It is the advanced feature of IAM, like a boundary. The permission of a role cannot have higher permission that defined in the boundary.
Can combined with SCP. Usecase: Allow developer to grant permissions themself but not over than SCP.
IAM Evaluation
Link to original
IAM policy evaluation
- Explicit deny
- SCP
- Resource based policy
- Identity based policy
- Boundary
- Session principal/permission checking.