Closed suphanf closed 2 years ago
it's there to stop escalation
One user can only have one permission boundary. It is not possible to have another competing boundary taking effect at the same time. Any user with this boundary will never have this permission regardless of any IAM policy attached unless an admin decides to use this boundary as a normal IAM policy.
@acantril You don't have to accept this pull request. I just need some clarification.
Im not sure what you're wanting clarified ? I've responded with why it's there It's there to stop privilege escallation. Explicit denies in boundaries often exist even if there isn't a broader allow
if you're wanting a wider discussion this really isn't the place for it. thats why I created https://techstudyslack.com
It is not necessary to have explicit deny DeleteUserPermissionsBoundary since this action will not be allowed by any other statements in this boundary.