How is iam:PassRole managed to control server credentials?

EC2 instances, and an increasing number of AWS services, use IAM Roles to delegate permissions to the resource. In effect, you can authorize an EC2 instance to access AWS APIs. This is a secure, convenient and best practice for applications accessing AWS APIs. Read more on the AWS Security Blog.

iam:PassRole is the permission that controls which users can delegate an IAM role to an AWS resource. 

Turbot manages iam:PassRole, which allows specific users to use the permission for specific services. For example, users of EMR need iam:PassRole permission on the ServiceRole to be able to start a new EMR cluster. But special Turbot IAM roles (e.g. superuser) should never be allowed to be used with iam:PassRole.

Here is a summary of the Turbot approach:

  • iam:PassRole is granted to AWS/Owners if IAM is enabled. By default, this permission is not attached to any user.
  • Special roles, i.e. turbot_superuser, are protected by not creating an instance profile for the role, and also adding an explicit deny preventing users from taking actions like PassRole with the role.
  • When service roles are required, like EC2 instance roles and Lambda function roles, iam:PassRole is granted to the appropriate level within that specific service. For instance, if Lambda is enabled, iam:PassRole is granted to AWS/Lambda/Admin, as Lambda admins are able to create functions, which rely on an IAM role being passed.
Was this article helpful?
0 out of 0 found this helpful