After we have understood how IAM User, Group, Policy and Role work in the previous 2 labs. In this lab, we will continue to learn about IAM Permission Boundary.
IAM Permission Boundary is an advanced feature that allows us to limit the maximum permissions to a User or Group. Assuming we apply a Permission Boundary that only allows the EC2admin user to administer the EC2 service, then he will not be able to have permissions on any other service even if he is assigned a higher permission Policy.
Therefore, the effective permissions of user EC2admin will include those allowed by both Permission Boundary and user EC2admin’s permissions policy ( Identity-based policy).
Usually, when you are giving permission to IAM users, you think that if you just build the permission policy for the user carefully, you will be able to skip the step of using the Permission Boundary.
However, as the number of users increases and the constant changes in the work roles of the users require you to create more and more new permission policies, the management of permissions becomes complicated, thereby creating vulnerabilities for privilege escalation in users.
To simplify permission management, instead of having to edit permission policies one by one, you can apply Permission Boundary quickly and in bulk to help you close privilege escalation vulnerabilities.