Skip to main content

5. Permissions

Boundaries

Only Identity permissions are impacted by any boundaries - resource permissions are applied in full.

They do not grant any access on their own - they identify the MAXIMUM permissions an identity can receive.

Delegation problems

Problem: Dupo wants Lizz to be an IAM Admin, so he gives her iam:*. Lizz then can create a new user and give it AWSFullAccess permissions. image.png

Policy Evaluation Logic

  • Organization SCPs
  • Resource Policies
  • IAM Identity Policies
  • Session Policies
  • Identity Policies
  • different accounts...

image.png

image.png

Cross account? Both accounts need to allow from both.

image.png