Skill

implementing-aws-iam-permission-boundaries

Implements AWS IAM permission boundaries to enable security teams to delegate role creation to developers while enforcing least-privilege maximum permissions. Useful for secure IAM management in teams.

AWS

Terraform

CloudFormation

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

IAM 权限边界（Permission Boundaries）是 AWS 的高级功能，用于设置基于身份的策略可以向 IAM 实体（用户或角色）授予的最大权限。它们使集中式安全团队能够安全地将 IAM 角色和策略创建委托给应用开发者，而不会有权限提升的风险。实体的有效权限是其基于身份的策略与权限边界的交集——即使身份策略授予了 `AdministratorAccess`，权限边界也会将其限制为仅允许的操作。

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

implementing-aws-iam-permission-boundaries

Implements AWS IAM permission boundaries to delegate role creation to developers while enforcing security team's maximum privilege limits.

asi

implementing-aws-iam-permission-boundaries

5.9k

Implements AWS IAM permission boundaries to delegate role creation to developers while enforcing maximum privilege limits from security teams. For compliance-aligned IAM setups.

7 files

cybersecurity-skills

aws-cloudformation-iam

174

Provides AWS CloudFormation patterns for IAM roles, policies, managed policies, permission boundaries, and trust relationships. Use for least-privilege access, cross-account assumptions, service roles, and reusable stacks.

2 files3 tools

developer-kit-aws

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

实施 AWS IAM 权限边界

概述

IAM 权限边界（Permission Boundaries）是 AWS 的高级功能，用于设置基于身份的策略可以向 IAM 实体（用户或角色）授予的最大权限。它们使集中式安全团队能够安全地将 IAM 角色和策略创建委托给应用开发者，而不会有权限提升的风险。实体的有效权限是其基于身份的策略与权限边界的交集——即使身份策略授予了 AdministratorAccess，权限边界也会将其限制为仅允许的操作。

前置条件

具有 IAM 管理员访问权限的 AWS 账户
了解 AWS IAM 策略语言（JSON）
配置了适当凭据的 AWS CLI v2
用于基础设施即代码部署的 Terraform 或 CloudFormation

核心概念

权限边界的工作原理

基于身份的策略              权限边界
（角色能做什么）      ∩    （角色可以做什么）
        │                              │
        └──────────┬───────────────────┘
                   │
          有效权限
    （仅两个策略都允许的操作）

策略评估逻辑

AWS 按以下顺序评估权限：

显式拒绝 — 在任何策略中始终优先
Organizations SCP — 设置组织范围的最大权限
权限边界 — 设置实体级别的最大权限
基于身份的策略 — 授予实际权限
基于资源的策略 — 跨账户访问（单独评估）

实体只有在所有适用的策略类型都允许时才能执行操作。

主要使用场景

使用场景	描述
开发者委托	允许开发者创建 IAM 角色，但不能超出其边界范围
沙箱隔离	限制沙箱/开发账户中角色的操作范围
多租户工作负载	确保特定于租户的角色无法访问其他租户的资源
CI/CD 流水线角色	将自动化角色限制在特定服务

实施步骤

步骤 1：定义权限边界策略

创建一个定义最大允许权限的托管策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowedServices",
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "dynamodb:*",
                "lambda:*",
                "logs:*",
                "cloudwatch:*",
                "sqs:*",
                "sns:*",
                "events:*",
                "states:*",
                "xray:*",
                "ec2:Describe*",
                "ec2:CreateTags",
                "sts:AssumeRole",
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowIAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/app-*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "lambda.amazonaws.com",
                        "states.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "DenyBoundaryDeletion",
            "Effect": "Deny",
            "Action": [
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:CreatePolicyVersion"
            ],
            "Resource": "arn:aws:iam::*:policy/DeveloperBoundary"
        },
        {
            "Sid": "DenyBoundaryRemoval",
            "Effect": "Deny",
            "Action": [
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteRolePermissionsBoundary"
            ],
            "Resource": "*"
        }
    ]
}

步骤 2：创建开发者委托策略

授予开发者创建 IAM 角色的能力，但必须附加边界：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateRoleWithBoundary",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/app-*",
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::*:policy/DeveloperBoundary"
                }
            }
        },
        {
            "Sid": "AllowCreatePolicyScoped",
            "Effect": "Allow",
            "Action": [
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion"
            ],
            "Resource": "arn:aws:iam::*:policy/app-*"
        },
        {
            "Sid": "AllowViewIAM",
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*"
            ],
            "Resource": "*"
        }
    ]
}

步骤 3：附加边界

# 创建边界策略
aws iam create-policy \
    --policy-name DeveloperBoundary \
    --policy-document file://developer-boundary.json

# 将边界附加到现有角色
aws iam put-role-permissions-boundary \
    --role-name developer-role \
    --permissions-boundary arn:aws:iam::123456789012:policy/DeveloperBoundary

# 创建带边界的新角色
aws iam create-role \
    --role-name app-lambda-executor \
    --assume-role-policy-document file://trust-policy.json \
    --permissions-boundary arn:aws:iam::123456789012:policy/DeveloperBoundary

步骤 4：防止权限提升

边界必须包含拒绝语句，防止开发者：

从自己的角色中移除边界
修改边界策略本身
创建未附加边界的角色
访问 IAM 服务进行权限提升

步骤 5：使用 Terraform 部署

resource "aws_iam_policy" "developer_boundary" {
  name   = "DeveloperBoundary"
  path   = "/"
  policy = file("${path.module}/policies/developer-boundary.json")
}

resource "aws_iam_role" "app_role" {
  name                 = "app-lambda-executor"
  assume_role_policy   = data.aws_iam_policy_document.lambda_trust.json
  permissions_boundary = aws_iam_policy.developer_boundary.arn
}

implementing-aws-iam-permission-boundaries

Tool Access

Preview

Supporting Assets

SKILL.md

Similar Skills

Help us improve

Help us improve

implementing-aws-iam-permission-boundaries

Tool Access

Preview

Supporting Assets

SKILL.md

实施 AWS IAM 权限边界

概述

前置条件

核心概念

权限边界的工作原理

策略评估逻辑

主要使用场景

实施步骤

步骤 1：定义权限边界策略

步骤 2：创建开发者委托策略

步骤 3：附加边界

步骤 4：防止权限提升

步骤 5：使用 Terraform 部署

验证清单

参考资料

Similar Skills

Help us improve

实施 AWS IAM 权限边界

概述

前置条件

核心概念

权限边界的工作原理

策略评估逻辑

主要使用场景

实施步骤

步骤 1：定义权限边界策略

步骤 2：创建开发者委托策略

步骤 3：附加边界

步骤 4：防止权限提升

步骤 5：使用 Terraform 部署

验证清单

参考资料