These are policies that govern the maximum permissions that an identity-based policy can associate with any user or role; however, the permissions boundary policy itself does not apply permissions to users or roles. It simply restricts those given by the identity-based policy.
To create a permissions boundary, you can perform the following steps:
- From within the IAM management console, select your user or role. In this example, we have selected a user who has been assigned permissions from a group, AmazonS3FullAccess (as per the best practices), giving full access to S3. However, if you wanted to restrict this level of access to S3 either temporarily or permanently for this particular user, you could set a permissions boundary:
- Select the arrow next to Permissions boundary (not set). This will open a drop-down menu:
- Select Set boundary. This will then take you to a screen showing all the managed policies (both AWS- and customer-managed policies...