Skip to main content

Permission Boundary

A Permission Boundary is a way to define the maximum scope of permissions a user or role can have. It limits the user or role's permissions but does not specify the actual permissions.

Setting the permission boundary

To set a permission boundary on all IAM users and roles created in your Stack instances, you can do the following.

import * as iam from "@aws-cdk/aws-iam";
import { StackContext } from "sst/constructs";

export function MyStack({ stack }: StackContext) {
const boundary = new iam.ManagedPolicy(stack, "Boundary", {
statements: [
new iam.PolicyStatement({
effect: iam.Effect.DENY,
actions: ["iam:*"],
resources: ["*"],