Automate Permission Boundary Attachment to IAM roles and Users
When we are managing multiple AWS Accounts in an Organization and each accounts will have their own requirement but as a centralized admin, we should be having a certain governance and compliance framework. IAM is a widely used AWS service and IAM roles/users are common used entity in AWS. As a centralized Admin, when we provide access to create IAM roles, cloud consumers in the landing zone accounts would create Users and Roles and attach Administrative policy and bypass the governance framework. In this blog, I will be briefing on restricting this scenario using IAM permission boundary and also deploying this setup through automation. AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows