Add optional permissions boundary support for enterprise deployments

Author: Bob Strahan

CHANGELOG.md

@@ -5,6 +5,12 @@ SPDX-License-Identifier: MIT-0
 
 ## [Unreleased]
 
+### Added
+- **Optional Permissions Boundary Support for Enterprise Deployments**
+  - Added `PermissionsBoundaryArn` parameter to all CloudFormation templates for organizations with Service Control Policies (SCPs) requiring permissions boundaries
+  - Comprehensive support for both explicit IAM roles and implicit roles created by AWS SAM functions with `Policies:`
+  - Conditional implementation ensures backward compatibility - when no permissions boundary is provided, roles deploy normally
+
 ## [0.3.8]
 
 ### Added

docs/aws-services-and-roles.md

@@ -51,6 +51,20 @@ This document outlines the AWS services used by the GenAI Intelligent Document P
 
 ## IAM Role Requirements
 
+### Enterprise Deployment Considerations
+
+For organizations with Service Control Policies (SCPs) that mandate permissions boundaries on all IAM roles, the solution provides comprehensive support through the `PermissionsBoundaryArn` parameter. This optional parameter can be specified during deployment to attach a permissions boundary to all IAM roles (both explicit roles and implicit roles created by AWS SAM functions).
+
+**Usage:**
+```bash
+aws cloudformation deploy \
+  --template-file template.yaml \
+  --parameter-overrides PermissionsBoundaryArn=arn:aws:iam::123456789012:policy/MyPermissionsBoundary \
+  --capabilities CAPABILITY_IAM
+```
+
+When no permissions boundary is specified, roles deploy normally, ensuring backward compatibility.
+
 ### Deployment Roles
 
 Deploying this solution requires an IAM role/user with the following permissions:

docs/well-architected.md

@@ -30,6 +30,7 @@ The GenAI Intelligent Document Processing (GenAIIDP) Accelerator demonstrates st
 ### Strengths
 
 - **Defense in Depth**: Multiple security layers including IAM roles with least privilege, encryption at rest, and secure API access.
+- **Enterprise IAM Governance**: Comprehensive support for IAM permissions boundaries to comply with organizational Service Control Policies (SCPs) that mandate permissions boundaries on all IAM roles.
 - **Content Safety**: Integration with Amazon Bedrock Guardrails to enforce content policies, block sensitive information, and prevent model misuse.
 - **Authentication**: Cognito user pools with configurable password policies and MFA support.
 - **Authorization**: Fine-grained access controls for different components and resources.
@@ -146,4 +147,4 @@ The GenAI Intelligent Document Processing Accelerator demonstrates strong alignm
 
 Key strengths include the serverless architecture, which provides automatic scaling and resilience, and the comprehensive monitoring capabilities that enable operational visibility. The solution's modular design allows for customization and extension to meet specific business requirements.
 
-Areas for potential enhancement include more granular cost controls, multi-region resilience strategies, and sustainability optimizations. By addressing these recommendations, the solution can further improve its alignment with Well-Architected best practices.
+Areas for potential enhancement include more granular cost controls, multi-region resilience strategies, and sustainability optimizations. By addressing these recommendations, the solution can further improve its alignment with Well-Architected best practices.