Advanced workflows

IAM Permissions Boundary for Amplify-generated roles

To set the maximum permissions that can be granted to IAM Roles created by Amplify CLI, configure a Permissions Boundary for the project. Then, Amplify-generated IAM roles can perform only the actions that are allowed by both the roles’ policies and Permissions Boundary. You can configure a different Permissions Boundary for each environment. For example, this enables you to deny a dev environment all access to a prod environment’s resources.

The IAM Permissions Boundary will apply to all IAM Roles created by Amplify. This includes the “auth role” assumed by users that log into the app and the “unauth role” assumed by guest users. It also applies to Lambda execution roles, Cognito user group roles, and any role configured in a custom resource stack.

The IAM Policy, to be used as a Permissions Boundary, must be configured outside of Amplify CLI. A Permissions Boundary is an IAM Policy and can be created following the guide here. This is usually part of an AWS Organization rule or other corporate governance requirement. Once you have created an IAM Policy to use as a Permissions Boundary, copy the IAM Policy ARN for the next steps.

Set up a Permissions Boundary in a new project

To initialize a project with a Permissions Boundary run:

amplify init --permissions-boundary <IAM Policy ARN>

amplify init --permissions-boundary <IAM Policy ARN>

Set up a Permissions Boundary in a new environment

When creating a new Amplify environment using amplify env add the Permissions Boundary from the current environment is automatically applied to the new environment.

To specify a different Permissions Boundary for the new environment, run:

amplify env add --permissions-boundary <IAM Policy ARN>

amplify env add --permissions-boundary <IAM Policy ARN>

To explicitly specify that the new environment should NOT have a Permissions Boundary, run:

amplify env add --permissions-boundary ''

amplify env add --permissions-boundary ''

If Amplify CLI is not able to automatically apply the Permissions Boundary to the new environment and --permissions-boundary is not specified, it will prompt for a IAM Policy ARN as a Permissions Boundary.

Update an environment’s Permissions Boundary

To modify the Permissions Boundary of the current environment, run:

amplify env update

amplify env update

In non-interactive shells use

amplify env update --permissions-boundary <IAM Policy ARN>

amplify env update --permissions-boundary <IAM Policy ARN>

The IAM Permissions Boundary will be applied on the next amplify push.

Set up a Permissions Boundary in a cross-account Amplify project

Amplify CLI cannot automatically apply the existing boundary to a new environment in a different AWS account if the --yes flag is used during amplify env add. In this case, a new Permissions Boundary must be specified using amplify env add --yes --permissions-boundary <IAM Policy ARN> or to explicitly remove the Permissions Boundary from the new environment use amplify env add --yes --permissions-boundary ''.

Previous Page
previous

IAM Roles & MFA

next

Headless mode for CI/CD

Next Page
Discord Logo
Amplify open source, documentation and community are supported by Amazon Web Services © 2021, Amazon Web Services, Inc. and its affiliates. All rights reserved. View the site terms and privacy policy.
    Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.