AWS::SSO::PermissionSet PermissionsBoundary

Specifies the configuration of the Amazon managed or customer managed policy that you want to set as a permissions boundary. Specify either CustomerManagedPolicyReference to use the name and path of a customer managed policy, or ManagedPolicyArn to use the ARN of an Amazon managed policy. A permissions boundary represents the maximum permissions that any policy can grant your role. For more information, see Permissions boundaries for IAM entities in the IAM User Guide.

Important

Policies used as permissions boundaries don't provide permissions. You must also attach an IAM policy to the role. To learn how the effective permissions for a role are evaluated, see IAM JSON policy evaluation logic in the IAM User Guide.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON


{
  "CustomerManagedPolicyReference" : CustomerManagedPolicyReference,
  "ManagedPolicyArn" : String
}

YAML


  CustomerManagedPolicyReference: 
    CustomerManagedPolicyReference
  ManagedPolicyArn: String

Properties

CustomerManagedPolicyReference

Specifies the name and path of a customer managed policy. You must have an IAM policy that matches the name and path in each Amazon Web Services account where you want to deploy your permission set.

Required: No

Type: CustomerManagedPolicyReference

Update requires: No interruption

ManagedPolicyArn

The Amazon managed policy ARN that you want to attach to a permission set as a permissions boundary.

Required: No

Type: String

Minimum: 20

Maximum: 2048

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):iam::aws:policy/[\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]+

Update requires: No interruption

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

CustomerManagedPolicyReference