Iam policy evaluation_
#aws #iam #evaluation
IAM permission boundary
It is the advanced feature of IAM, like a boundary. The permission of a role cannot have higher permission that defined in the boundary.
Can combined with SCP. Usecase: Allow developer to grant permissions themself but not over than SCP. ![[Drawing 2023-03-02 21.30.06_0.excalidraw |600x400]]
IAM policy evaluation
- Explicit deny
- SCP
- Resource based policy
- Identity based policy
- Boundary
- Session principal/permission checking.