aws-cdk-lib.PermissionsBoundary

class PermissionsBoundary

LanguageType name
.NETAmazon.CDK.PermissionsBoundary
Gogithub.com/aws/aws-cdk-go/awscdk/v2#PermissionsBoundary
Javasoftware.amazon.awscdk.PermissionsBoundary
Pythonaws_cdk.PermissionsBoundary
TypeScript (source)aws-cdk-lib » PermissionsBoundary

Apply a permissions boundary to all IAM Roles and Users within a specific scope.

A permissions boundary is typically applied at the Stage scope. This allows setting different permissions boundaries per Stage. For example, you may not apply a boundary to the Dev stage which deploys to a personal dev account, but you do apply the default boundary to the Prod stage.

It is possible to apply different permissions boundaries to different scopes within your app. In this case the most specifically applied one wins

Example

// no permissions boundary for dev stage
new Stage(app, 'DevStage');

// default boundary for prod stage
const prodStage = new Stage(app, 'ProdStage', {
  permissionsBoundary: PermissionsBoundary.fromName('prod-pb'),
});

// overriding the pb applied for this stack
new Stack(prodStage, 'ProdStack1', {
  permissionsBoundary: PermissionsBoundary.fromName('stack-pb'),
});

// will inherit the permissions boundary from the stage
new Stack(prodStage, 'ProdStack2');

Methods

NameDescription
static fromArn(arn)Apply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.
static fromName(name)Apply a permissions boundary with the given name to all IAM Roles and Users created within a scope.

static fromArn(arn)

public static fromArn(arn: string): PermissionsBoundary

Parameters

  • arn string — the ARN of the permissions boundary policy.

Returns

  • PermissionsBoundary

Apply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.

The arn can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.

  • '${AWS::Partition}'
  • '${AWS::Region}'
  • '${AWS::AccountId}'
  • '${Qualifier}' Example
new Stage(app, 'ProdStage', {
  permissionsBoundary: PermissionsBoundary.fromArn('arn:aws:iam::${AWS::AccountId}:policy/my-custom-permissions-boundary'),
});

static fromName(name)

public static fromName(name: string): PermissionsBoundary

Parameters

  • name string — the name of the permissions boundary policy.

Returns

  • PermissionsBoundary

Apply a permissions boundary with the given name to all IAM Roles and Users created within a scope.

The name can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.

  • '${AWS::Partition}'
  • '${AWS::Region}'
  • '${AWS::AccountId}'
  • '${Qualifier}' Example
new Stage(app, 'ProdStage', {
  permissionsBoundary: PermissionsBoundary.fromName('my-custom-permissions-boundary'),
});