This lab is currently in Beta, content may be updated as we refine the material
LABADVANCED

IAM Least Privilege with Permission Boundaries

Design and apply an IAM permission boundary to a delegated developer role, then prove the boundary blocks privilege escalation.

60 minutes
aws/devops
IAM Least Privilege with Permission Boundaries - Platform Engineering Hands-On Lab Icon

Lab Overview

Permission boundaries are the AWS-recommended guardrail for letting platform teams safely delegate IAM to application teams. In this lab you'll act as the platform engineer: you'll author a boundary policy, apply it to a developer role, verify the role can do its day job (EC2, S3, Lambda), and then try to escalate privileges from inside the role to confirm the boundary holds.

You will:

  • Author a permission boundary policy that allows EC2, S3, and Lambda but denies billing, IAM admin, and Organizations
  • Create a developer role with a broad permissions policy AND the boundary attached
  • Assume the developer role and verify allowed day-job actions succeed
  • Attempt classic privilege escalation paths (create admin role, attach AdministratorAccess to self) and confirm the boundary blocks them

This lab uses STS AssumeRole with a local AWS CLI profile so you can switch identities without leaving the workstation.

What You'll Learn

Author an IAM permission boundary that allows a service scope and denies privilege escalation

Attach a permission boundary to an IAM role at creation time

Use STS AssumeRole with a named CLI profile to switch identities

Verify allowed actions succeed under a bounded role

Demonstrate that a permission boundary blocks classic privilege escalation paths

Prerequisites

aws-cli-baseline-complete

aws-iam-fundamentals

associate-level-iam-knowledge

Technologies Covered

awsiampermission-boundaryleast-privilegestsdop-c02security

Part of a Course

This lab is part of the AWS Certified DevOps Engineer - Professional (DOP-C02) course

View All Courses

Choose your plan

Simple, Transparent Pricing

Unlock full access to TeKanAid courses, labs, and bootcamps

MonthlyQuarterly

Pro

Course content without labs

$59/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Full access to all courses
  • Progress tracking
  • Certificate of completion
  • Community access
  • Bootcamp participation
  • New content access
Recommended

Premium

Full access with hands-on labs

$99/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Everything in Pro
  • Unlimited hands-on labs
  • Lab AI Assistant
  • Accelerator bootcamps with live office hours
  • Priority support
Get Access Now

Prefer a single course?

Purchase individual courses for a one-time fee of $79. Full access to course content, quizzes, certificates, and community features, lab access is not included.

Browse Courses

Try it free, no credit card

Three free ways to start. All bridge into the paid Premium catalog when you're ready.

▶ Start with free courses and labs🧩 Solve your first free puzzle📧 Get the free 7-day crash course

Not ready to commit? The crash course is email-only. No academy account required.

Ready to Get Started?

Start this hands-on lab and build real-world Platform Engineering skills

Get Access Now