IAM best practices(without access constraints)?

Heya :wave: , I’m working with terraform to create a few different resources. I’m wondering how people follow best practices with ensuring IAM policies are not created without constraints? Say I have an assumable role for my CICD process that needs permissions to create roles, but only scoped to that iam role resource.

I think my answer may lie within permission boundaries, but I would love anyone elses input!

Permission boundaries are the tool for that, along with conditions that they get set on created resources as well.

Yeah, that’s actually exactly what I did. I was over thinking the process :grin: