8.1 Advanced IAM — Permission Boundaries, Federation, and Cross-Account
Key Takeaways
- A permission boundary is a managed policy that caps the MAXIMUM permissions an IAM user or role can ever have — effective permissions are the intersection of the identity policy and the boundary.
- Service Control Policies (SCPs) live in AWS Organizations and cap permissions for entire accounts/OUs; they never GRANT access, only filter it, and do not apply to the management account.
- Cross-account access via IAM roles uses a trust policy in the target account plus sts:AssumeRole from the source; STS returns temporary credentials (default 1 hour, max 12 hours).
- Resource-based policies (S3 bucket, SQS, SNS, KMS key, Lambda) grant cross-account access while the caller KEEPS its original identity — no role assumption needed.
- IAM Access Analyzer finds resources shared externally and can generate least-privilege policies from CloudTrail; ExternalId in a trust policy defeats the confused-deputy problem for third parties.
Quick Answer: A permission boundary caps the max permissions a user/role can have; effective access = identity policy INTERSECT boundary. Service Control Policies (SCPs) cap whole accounts/OUs in AWS Organizations but never grant. Cross-account access uses an IAM role (trust policy +
sts:AssumeRole) or a resource-based policy (caller keeps its identity). IAM Identity Center delivers SSO across many accounts. IAM Access Analyzer flags external sharing and builds least-privilege policies.
Permission Boundaries
A permission boundary is a managed policy attached to an IAM user or role that defines the ceiling on permissions. It never grants access by itself — it only limits what an identity policy can effectively allow. The exam loves the privilege-escalation scenario: let developers create roles for Lambda or EC2 without letting them mint an admin role.
The intersection rule
Effective permissions = Identity (or session) policy AND Permission Boundary. An action is allowed only if BOTH allow it, with no explicit Deny anywhere (an explicit Deny in any policy always wins).
| Identity Policy Grants | Permission Boundary Allows | Effective Permissions |
|---|---|---|
s3:*, ec2:*, rds:* | s3:*, ec2:* | s3:*, ec2:* (rds blocked) |
s3:GetObject | s3:*, ec2:* | s3:GetObject |
ec2:TerminateInstances | s3:* only | None (ec2 not in boundary) |
s3:* (with explicit Deny s3:DeleteObject) | s3:* | s3:* except DeleteObject |
Boundaries vs SCPs vs identity policies
This distinction is a frequent trap. SCPs are an AWS Organizations feature; they apply to entire accounts or Organizational Units (OUs) and filter the permissions of every IAM principal in those accounts (root user included for member accounts, but SCPs do not restrict the management account). A permission boundary is attached to a single user or role. An identity policy is what actually grants. For a request to succeed it must pass all layers: SCP allows it, the boundary allows it, the identity policy allows it, and no Deny blocks it.
Common Trap: SCPs and permission boundaries NEVER grant permissions. If an SCP is the only thing 'allowing' an action, the principal still has zero access until an identity or resource policy grants it.
IAM Identity Center (formerly AWS SSO)
IAM Identity Center centralizes workforce sign-in across every account in an AWS Organization and into SAML business apps.
| Feature | Detail |
|---|---|
| Single sign-on | One login to all member accounts and to SAML 2.0 apps (Salesforce, Slack) |
| Identity source | Built-in directory, AWS Managed Microsoft AD / AD Connector, or external IdP (Okta, Entra ID) |
| Permission sets | Reusable bundles of IAM policies mapped to users/groups per account |
| ABAC | Pass directory attributes as session tags for attribute-based access control |
On the Exam: 'Employees need SSO to 50 accounts by job function' → IAM Identity Center with permission sets. 'A workload in account A needs temporary access to account B' → cross-account IAM role.
Cross-Account Access
Method 1 — IAM roles (most common, all services)
- Target account creates a role whose trust policy lists the source account/principal as a trusted entity (the
Principal). - Source principal calls
sts:AssumeRoleon that role. - AWS Security Token Service (STS) returns temporary credentials (default 1 hour, configurable 15 min – 12 hours via
DurationSeconds/MaxSessionDuration). - The caller uses those credentials and is logged in the target account's CloudTrail as the role.
Method 2 — Resource-based policies (only some services)
S3 bucket, SQS queue, SNS topic, KMS key, and Lambda function policies can name an external account directly. The caller keeps its own identity (no AssumeRole), so CloudTrail in the target account records the original principal.
| Feature | IAM Role | Resource-Based Policy |
|---|---|---|
| Identity after access | Assumes a new role identity | Keeps original identity |
| CloudTrail in target | Logged as the role | Logged as original principal |
| Service support | All services | S3, SQS, SNS, KMS, Lambda only |
Confused-deputy and ExternalId
When you grant a third-party SaaS (e.g., a monitoring vendor) a role, set an ExternalId condition in the trust policy. The vendor must pass that unique value on AssumeRole, preventing another customer of the same vendor from tricking the vendor into accessing your account — the confused-deputy problem.
IAM Access Analyzer
| Capability | Detail |
|---|---|
| External access findings | Flags S3 buckets, IAM roles, KMS keys, Lambda, SQS shared outside your account/Org |
| Policy validation | Lints policies against grammar and security best-practice checks |
| Policy generation | Builds least-privilege policies from CloudTrail activity history |
| Unused access | Surfaces unused roles, access keys, and permissions |
On the Exam: 'Find S3 buckets or roles reachable from outside the account' → IAM Access Analyzer external findings. 'Generate a least-privilege policy from what the role actually did' → Access Analyzer policy generation from CloudTrail.
Temporary Credentials and Federation
The SAA-C03 exam consistently prefers temporary credentials over long-lived access keys. Several mechanisms all flow through STS:
- IAM roles for EC2 (instance profile): the instance retrieves rotating credentials from the metadata service — never hard-code keys on an instance.
- Web identity federation / Amazon Cognito: mobile or web users sign in with an external identity provider (Google, Apple, a SAML/OIDC IdP) and Cognito identity pools exchange that token for temporary AWS credentials scoped to a role.
- SAML 2.0 federation: enterprise users authenticate against the corporate IdP and assume a role via
AssumeRoleWithSAML.
| Audience | Mechanism | Result |
|---|---|---|
| EC2 / Lambda / ECS task | IAM role attached to the compute | Auto-rotated temporary credentials |
| Mobile/web app users | Cognito identity pool + IdP | Short-lived role credentials per user |
| Corporate workforce | IAM Identity Center or SAML federation | SSO into accounts via permission sets/roles |
Common Trap: 'A mobile app needs to upload directly to S3 for millions of users' → Cognito identity pools issuing temporary credentials, NOT one shared IAM user with embedded keys. Embedding access keys in an app is an automatic wrong answer.
A company wants to let developers create IAM roles for their Lambda functions but must prevent any created role from having administrative privileges. Which control enforces this ceiling?
A third-party monitoring vendor needs read access to your account by assuming a cross-account role. What should you add to the role's trust policy to prevent the confused-deputy problem?