A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
Trap 1: Rely only on their IAM managed policies and instruct developers to…
Guidelines and self-checks are not enforceable controls. Developers could accidentally (or intentionally) attach policies that exceed the intended maximum permissions.
Trap 2: Use a service control policy (SCP) that applies only to the…
SCPs are evaluated at the organization/account level and constrain allowed API actions for principal types across affected accounts/OUs. They are not the most direct tool for capping an individual principal’s maximum effective permissions in the way permission boundaries do (and SCPs are not designed for per-identity “maximum permission” limits).
Trap 3: Use a KMS key policy to restrict IAM actions, because IAM actions…
KMS key policies govern cryptographic key usage (for example, Encrypt/Decrypt) and do not control whether a principal is authorized to grant or perform IAM permissions. KMS does not function as an IAM permissions cap mechanism.
- A
Use an IAM permission boundary on roles/users that developers create, so the developers’ effective permissions are capped by the boundary policy.
Permission boundaries constrain the maximum permissions that an identity can receive. Even if developers attach an identity policy that allows broader actions, the effective permissions are limited to the intersection of the identity policy and the boundary.
- B
Rely only on their IAM managed policies and instruct developers to self-check against internal guidelines.
Why wrong: Guidelines and self-checks are not enforceable controls. Developers could accidentally (or intentionally) attach policies that exceed the intended maximum permissions.
- C
Use a service control policy (SCP) that applies only to the developers’ IAM users in the account.
Why wrong: SCPs are evaluated at the organization/account level and constrain allowed API actions for principal types across affected accounts/OUs. They are not the most direct tool for capping an individual principal’s maximum effective permissions in the way permission boundaries do (and SCPs are not designed for per-identity “maximum permission” limits).
- D
Use a KMS key policy to restrict IAM actions, because IAM actions can be controlled with KMS.
Why wrong: KMS key policies govern cryptographic key usage (for example, Encrypt/Decrypt) and do not control whether a principal is authorized to grant or perform IAM permissions. KMS does not function as an IAM permissions cap mechanism.