Creating a permissions boundary

After you deploy the permission sets, you establish a permissions boundary. This permissions boundary is a mechanism to delegate IAM access to only users who are developing, testing, launching, and managing your cloud infrastructure. Those users can perform only the actions that are permitted by the policy and the permissions boundary.

You can define the permissions boundary in an AWS CloudFormation template and then use CloudFormation StackSets to deploy the template into multiple accounts. This helps you establish and maintain standardized policies across your organization with a single operation. For more information and instructions, see Working with AWS CloudFormation StackSets (CloudFormation documentation).

The following CloudFormation template provisions an IAM role and creates an IAM policy that acts as a permission boundary. Using a stack set, you can deploy this template to all of the member accounts in your organization.


CloudFormationRole:
  Type: "AWS::IAM::Role"
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        Effect: Allow
        Principal:
          Service: !Sub "cloudformation.${AWS::URLSuffix}"
        Action: "sts:AssumeRole"
        Condition:
          StringEquals:
            "aws:SourceAccount": !Ref "AWS::AccountId"
    Description: !Sub "DO NOT DELETE - Used by CloudFormation. Created by CloudFormation ${AWS::StackId}"
    ManagedPolicyArns:
      - !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess"
    PermissionsBoundary: !Ref DeveloperBoundary
    RoleName: CloudFormationRole

DeveloperBoundary:
  Type: "AWS::IAM::ManagedPolicy"
  Properties:
    Description: Permission boundary for developers
    ManagedPolicyName: PermissionsBoundary
    PolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Sid: AllowModifyIamRolesWithBoundary
          Effect: Allow
          Action:
            - "iam:AttachRolePolicy"
            - "iam:CreateRole"
            - "iam:DeleteRolePolicy"
            - "iam:DetachRolePolicy"
            - "iam:PutRolePermissionsBoundary"
            - "iam:PutRolePolicy"
          Resource: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/app/*"
          Condition:
            ArnEquals:
              "iam:PermissionsBoundary": !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/PermissionsBoundary"
        - Sid: AllowModifyIamRoles
          Effect: Allow
          Action:
            - "iam:DeleteRole"
            - "iam:TagRole"
            - "iam:UntagRole"
            - "iam:UpdateAssumeRolePolicy"
            - "iam:UpdateRole"
            - "iam:UpdateRoleDescription"
          Resource: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/app/*"
        - Sid: OverlyPermissiveAllowedServices
          Effect: Allow
          Action:
            - "lambda:*"
            - "apigateway:*"
            - "events:*"
            - "s3:*"
            - "logs:*"
          Resource: "*"

The CloudFormationRole role, PermissionsBoundary policy, and the DeveloperAccess permission set work together to grant the following permissions:

Users have read-only access to most AWS services, through the ReadOnlyAccess AWS managed policy.
Users have access to open support cases, through the AWSSupportAccess AWS managed policy.
Users have read-only access to the AWS Billing console dashboard, through the AWSBillingReadOnlyAccess AWS managed policy.
Users are able to provision new environments from AWS Proton, through the AWSProtonDeveloperAccess AWS managed policy.
Users are able to provision products from Service Catalog, through the AWSServiceCatalogEndUserFullAccess AWS managed policy.
Users are able to validate and estimate the cost of any CloudFormation template, through the inline policy.
By using the CloudFormationRole IAM role, users are able to create, update, or delete any CloudFormation stack that starts with app/.
Users are able to use CloudFormation to create, update, or delete IAM roles that start with app/. The PermissionsBoundary IAM policy prevents users from escalating their privileges.
Users can provision AWS Lambda, Amazon EventBridge, Amazon CloudWatch, Amazon Simple Storage Service (Amazon S3), and Amazon API Gateway resources only by using CloudFormation.

The following image shows how an authorized user, such as a developer, can create a new IAM role in a member account by using the permissions sets, IAM roles, and permissions boundaries described in this guide:

The user authenticates in IAM Identity Center and assumes the DeveloperAccess IAM role.
The user initiates the cloudformation:CreateStack action and assumes the CloudFormationRole IAM role.
The user initiates the iam:CreateRole action and uses CloudFormation to create a new IAM role.
The PermissionsBoundary IAM policy is applied to the new IAM role.

User creating an IAM role that is subject to the permissions boundary in the member account

The CloudFormationRole role has the AdministratorAccess managed policy attached, but due to the PermissionsBoundary IAM policy, the CloudFormationRole role's effective permissions become equal to the PermissionsBoundary policy. The PermissionsBoundary policy references itself when allowing the iam:CreateRole action, which ensures that roles can be created only if the permissions boundary is applied.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating permission sets

Managing permissions for individuals