Cloud & Infrastructure Practical By Samson Tanimawo, PhD Published Apr 30, 2026 4 min read

IAM Permission Boundaries Pattern

Permission boundaries cap the maximum permissions any role can have. The pattern that lets developers create roles safely.

The idea

Permission boundary is a policy that caps the effective permissions of a role.

Developer can create roles with any policy, but the role's actual permissions are intersection of its policy and the boundary.

Default boundary for developer-created roles. Excludes destructive permissions, billing, IAM changes.

Developers can iterate freely without escalation risk.

Periodically: are roles bumping against the boundary? If yes, the boundary may be too tight.

Or the role is asking for permissions it should not have. Investigate.