Permissions that principal access boundary policies block
Stay organized with collections
Save and categorize content based on your preferences.
When principals try to access a resource that they aren't eligible to access,
principal access boundary policies prevent them from using some, but not all,
Identity and Access Management (IAM) permissions to access the resource.
If a principal access boundary policy blocks a permission, then IAM
enforces principal access boundary policies for that permission. In other words, it
prevents any principals that aren't eligible to access a resource from using
that permission to access the resource.
If a principal access boundary policy doesn't block a permission, then
principal access boundary policies have no effect on whether principals can use the
permission.
Periodically, IAM adds new principal access boundary enforcement
versions that can block additional permissions. Each new version can also block
all of the permissions in the previous version.
This page lists the permissions that each enforcement version can block.
Policies with enforcement version 2 can block all of the permissions listed in
Enforcement version 1. Additionally, policies with the enforcement
version 2 can also block all of the permissions listed in the following table.
Each row contains the following information:
The name of a service with permissions that principal access boundary policies can
block.
The permissions for that service that principal access boundary policies can block.
In some cases, a section of a permission name is replaced with a wildcard
character (*). This format indicates that principal access boundary policies can
block all permissions that match that pattern.
The following table lists the permissions that principal access boundary policies
with enforcement version 1 can block.
Each row contains the following information:
The name of a service with permissions that principal access boundary policies can
block.
The permissions for that service that principal access boundary policies can block.
In some cases, a section of a permission name is replaced with a wildcard
character (*). This format indicates that principal access boundary policies can
block all permissions that match that pattern.
The permissions for the service that principal access boundary can't block, even if
those permissions match one of the supported permission patterns.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-12-12 UTC."],[],[]]