acantril
commented
2 years ago it's there to stop escalation
Closed suphanf closed 2 years ago
acantril
commented
2 years ago it's there to stop escalation
suphanf
commented
2 years ago One user can only have one permission boundary. It is not possible to have another competing boundary taking effect at the same time. Any user with this boundary will never have this permission regardless of any IAM policy attached unless an admin decides to use this boundary as a normal IAM policy.
@acantril You don't have to accept this pull request. I just need some clarification.
acantril
commented
2 years ago Im not sure what you're wanting clarified ? I've responded with why it's there It's there to stop privilege escallation. Explicit denies in boundaries often exist even if there isn't a broader allow
acantril
commented
2 years ago if you're wanting a wider discussion this really isn't the place for it. thats why I created https://techstudyslack.com
It is not necessary to have explicit deny DeleteUserPermissionsBoundary since this action will not be allowed by any other statements in this boundary.