Resource policies can unilaterally grant access, even if it isn’t within the permissions boundary — AWS IAM Permission Boundaries Has A Caveat That May Surprise You Note: this article was originally published on September 1, 2021. It erroneously stated that the resource policy could reference the role, rather than the assumed role session. I removed it pending an update. The confusion, complexity, and poor documentation led me to publish I Trust AWS IAM to Secure My…