As organizations grow, the security team can't create every IAM role and policy in one place. Developers need to create their own Lambda execution roles, EC2 instance roles, and CI/CD deployment roles to move quickly. But here lies a critical risk: a developer given IAM permissions can create a role with AdministratorAccess for themselves, causing privilege escalation.
Permission Boundary tackles this problem head-on. In day1, we glanced at this concept as "a ceiling on permissions"—today we'll handle it practically in real delegation scenarios. Blocking privilege escalation is a core topic that appears in nearly every Specialty exam.