IAM Permissions Boundary

To set the maximum permissions that can be granted to IAM Roles created by Amplify, configure a permissions boundary for the AWS environment (i.e. AWS account & region). Then, Amplify-generated IAM roles can perform only the actions that are allowed by both the roles’ policies and permissions boundary.

The IAM permissions boundary will apply to all IAM Roles created by Amplify. This includes the "auth role" assumed by users that log into the app and the "unauth role" assumed by guest users. It also applies to Lambda execution roles, Cognito user group roles, and any role configured in a custom resource stack.

The IAM Policy to be used as a permissions boundary must be configured outside of Amplify. A permissions boundary is an IAM Policy. This is usually part of an AWS Organization rule or some other corporate governance requirement. Once you have created an IAM Policy to use as a permissions boundary, copy the IAM Policy ARN for the next steps.

Set up a permissions boundary in an AWS environment

cdk bootstrap --custom-permissions-boundary <iam-policy-arn>

The cdk bootstrap command is a one-time operation that configures the AWS account and region for CDK deployments. Once executed, users can continue to utilize Amplify commands (e.g. sandbox) without interruption. Any custom IAM permissions boundary set by cdk bootstrap will be automatically applied to the roles created by Amplify.

Check this guide to learn more about bootstrapping