diff --git a/bin/vpc-builder.ts b/bin/vpc-builder.ts
index 0e581d4..e0c8c33 100644
--- a/bin/vpc-builder.ts
+++ b/bin/vpc-builder.ts
@@ -9,9 +9,10 @@ import { Stack } from "aws-cdk-lib"
     const cdkApp = stackBuilder.stackMapper.app;
 
     const configFile = cdkApp.node.tryGetContext("config");
+    const permissionsBoundary = cdkApp.node.tryGetContext("permissions_boundary");
     // If a configuration file is provided we will use it to build our stacks
     if (configFile) {
-      stackBuilder.configure(configFile);
+      stackBuilder.configure(configFile, undefined, permissionsBoundary);
       await stackBuilder.build();
     } else {
       // When no configuration context provided, we will warn but not fail.  This allows 'cdk bootstrap', 'cdk help'
diff --git a/lib/stack-builder.ts b/lib/stack-builder.ts
index 3d73f88..11b9fef 100644
--- a/lib/stack-builder.ts
+++ b/lib/stack-builder.ts
@@ -24,6 +24,7 @@ import { IVpcInterfaceEndpointsProps } from "./vpc-interface-endpoints-stack";
 import * as path from "path";
 import * as fs from "fs";
 import * as ri from "@aws-cdk/region-info"
+import * as cdk from 'aws-cdk-lib';
 
 export interface namedVpcStack {
   name: string;
@@ -93,6 +94,7 @@ export class StackBuilderClass {
     workload: [],
   };
   configParser: ConfigParser;
+  permissionsBoundary: cdk.PermissionsBoundary;
   c: IConfig;
   interfaceDiscovery: Array<ServiceDetail> = [];
   interfaceList: Array<string> = [];
@@ -102,11 +104,14 @@ export class StackBuilderClass {
     this.stackMapper = new StackMapper({});
   }
 
-  configure(configFilename?: string, configContents?: string) {
+  configure(configFilename?: string, configContents?: string, permissionsBoundary?: string) {
     this.configParser = new ConfigParser({
       configFilename: configFilename,
       configContents: configContents,
     });
+    if (permissionsBoundary) {
+      this.permissionsBoundary = cdk.PermissionsBoundary.fromName(permissionsBoundary);
+    }
     try {
       this.configParser.parse();
       this.c = this.configParser.config;
@@ -185,6 +190,7 @@ export class StackBuilderClass {
               shareWithVpcs: sharedWithAppStacks,
               shareWithExistingVpcs: dnsStanza.shareWithExistingVpcs,
             },
+            permissionsBoundary: this.permissionsBoundary,
           }
         );
       }
@@ -196,13 +202,15 @@ export class StackBuilderClass {
       const allNamedStacks = this.allNamedStacks();
       this.stackMapper.transitGatewayRoutesStack("transit-gateway-routes", {
         tgwAttachmentsAndRoutes: allNamedStacks,
-        useLegacyIdentifiers: this.c.global.useLegacyIdentifiers ? this.c.global.useLegacyIdentifiers : false
-      })
+        useLegacyIdentifiers: this.c.global.useLegacyIdentifiers ? this.c.global.useLegacyIdentifiers : false,
+        permissionsBoundary: this.permissionsBoundary,
+      });
       // Use our Dummy Stack to assure our key exports (tgw ID, vpc ID, TGW attach ID remain exported)
       // Really only required when we're attaching to a TGW.  Stand alone VPCs don't require exports to
       // co-ordinate their installation.
       this.stackMapper.cdkExportPersistStack("cdk-export-persistence", {
         persistExports: allNamedStacks,
+        permissionsBoundary: this.permissionsBoundary,
       });
     }
   }
@@ -232,6 +240,7 @@ export class StackBuilderClass {
         ssmParameterPrefix: this.c.global.ssmPrefix,
         vpcCidr: configStanza.vpcCidr,
         createSubnets: subnets,
+        permissionsBoundary: this.permissionsBoundary,
       };
 
       const transitGatewayName = this.workloadHasTransit(workloadVpcName);
@@ -307,6 +316,7 @@ export class StackBuilderClass {
           props: {
             namePrefix: transitGatewayName,
             tgwDescription: "imported",
+            permissionsBoundary: this.permissionsBoundary,
           },
         };
         this.stacks.transitGateway.push({
@@ -322,6 +332,7 @@ export class StackBuilderClass {
             {
               namePrefix: transitGatewayName,
               tgwDescription: configStanza.tgwDescription,
+              permissionsBoundary: this.permissionsBoundary,
             }
           ),
         });
@@ -361,6 +372,7 @@ export class StackBuilderClass {
               "transitGateway",
               configStanza.useTransit
             ).tgw,
+            permissionsBoundary: this.permissionsBoundary,
           }
         ),
       });
@@ -383,7 +395,8 @@ export class StackBuilderClass {
               existingDxGwTransitGatewayRouteTableId: configStanza.existingDxGwTransitGatewayRouteTableId,
               tgw: {
                 attrId: configStanza.existingTgwId
-              }
+              },
+              permissionsBoundary: this.permissionsBoundary,
             }
         ),
       });
@@ -469,6 +482,7 @@ export class StackBuilderClass {
             "transitGateway",
             configStanza.useTransit
           ).tgw,
+          permissionsBoundary: this.permissionsBoundary,
         } as IVpcInterfaceEndpointsProps
       ),
     });
@@ -510,6 +524,7 @@ export class StackBuilderClass {
             "transitGateway",
             configStanza.useTransit
           ).tgw,
+          permissionsBoundary: this.permissionsBoundary,
         } as IVpcRoute53ResolverEndpointsProps
       ),
     });
@@ -539,6 +554,7 @@ export class StackBuilderClass {
               "transitGateway",
               configStanza.useTransit
             ).tgw,
+            permissionsBoundary: this.permissionsBoundary,
           }
         ),
       });
@@ -567,6 +583,7 @@ export class StackBuilderClass {
               "transitGateway",
               configStanza.useTransit
             ).tgw,
+            permissionsBoundary: this.permissionsBoundary,
           }
         ),
       });