From c925b03afae225d79ea28066fa5ef1f104a9abe5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 15 May 2025 08:21:30 -0400 Subject: [PATCH] add permission boundary policy --- .../naming-tagging-standard/naming/iam.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/aws/documentation/naming-tagging-standard/naming/iam.md b/aws/documentation/naming-tagging-standard/naming/iam.md index fa09c11d..86408d98 100644 --- a/aws/documentation/naming-tagging-standard/naming/iam.md +++ b/aws/documentation/naming-tagging-standard/naming/iam.md @@ -5,6 +5,18 @@ * IAM Groups * IAM Roles * IAM Policies + * IAM Permission Boundary Policies + +| prefix | description | +|--------|-------------| +| u | IAM Normal User | +| a | IAM Adminstrative User | +| x | IAM Specialized User (say, for break glass) | +| s | IAM Service Account | +| g | IAM Group | +| r | IAM Role | +| p | IAM Permission Policy | +| b | IAM Permission Boundary Policy | # IAM @@ -71,6 +83,19 @@ where {integer} is a natural number, starting at 1, and incrementing by 1. It i Some analysis will be done to determine the extent of such policies across our environment, to understand if the literal `p` part of the sequence needs further clarification. +## IAM Permissions Boundary Policy + +```script +b-{base-label} +``` + +When creating a [permissions boundary policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html), we will +usew the prefix of `b-`. As the context of such policies reside in the IAM Policies section of the UI, this will allow for easy distinction +from permission policies (`p-`). + +Only one permissions boundary policy is permitted on an IAM user or role. + + # Links * [Base Label Format](../README.md#base-label-format) @@ -79,3 +104,6 @@ part of the sequence needs further clarification. - 1.0.0 -- 2024-10-10 - initial +- 1.1.0 -- 2025-05-15 + - add permission boundary policy + - add summary