Delegated administrator with defined permission boundaries in a permission boundary policy attachment for web services and resources

Assignee

• AMAZON TECHNOLOGIES, INC. · US

Inventors

• Mingkun Wang · Beijing, CN
• Jasmeet Chhabra · Sammamish, US
• Hang Li · Beijing, CN
• Chenguang Yin · Seattle, US
• Dan Popick · Seattle, US
• Alazel Acheson · Redmond, US
• Apurv Awasthi · Issaquah, US
• Brigid Ann Johnson · Seattle, US
• Conor P. Cahill · Waterford, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/2141
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A method and system for generating permissions policies and permission boundary policies are described. The system receives a first request from a central administrator to create a delegated administrator, the first request specifying with one or more access permissions. The system generates a permission boundary policy that specifies the one or more access permissions and a first permissions policy that grants permissions to the delegated administrator to at least one of create an IAM principal with the permission boundary policy or attach a second permissions policy to the IAM principal. An effective permission given to the IAM principal is an intersection of access permissions specified in the first permissions policy and the one or more access permissions in the permission boundary policy. The system attaches the first permissions policy and the permission boundary policy to the delegated administrator.