What does IAM PassRole do and How to Set it Up

By Eyal Katz April 10, 2024

95% of cloud security fails are due to internal slip-ups. One wrong password, one sloppy permission, and your sensitive data are out in the open.

Thankfully, AWS gives you tools to fight back.  IAM lets you control who does what, down to the finest detail. And IAM PassRole?  It prevents sneaky permission grabs that put your data at risk.

What is IAM PassRole and How Does it Work?

AWS IAM

IAM PassRole is a permission within AWS Identity and Access Management (IAM) that allows IAM entities (users, groups, or roles) to delegate permissions to AWS services. It allows permissions by assigning an IAM role to an AWS resource or service. Doing so lets you precisely define the actions the resource or service can perform based on the permissions attached to the role.

Critical features of IAM PassRole

  • Delegation: Grants access without directly assigning permissions to users or resources.
  • Security: Enforces the principle of least privilege by allowing you to grant only the minimum necessary permissions.
  • Control: Ensures you dictate which roles can be assigned and where they apply.

Common Challenges and Risks of IAM PassRole

While powerful, using IAM PassRole effectively requires careful attention. Mistakes can cause issues that are easily detected by API penetration tests. 

Here are some common pitfalls:

  • Accidental Exposure: Misconfigurations can easily expose sensitive data or grant unintended privileges, leaving your AWS environment vulnerable. 
  • Complexity: Keeping track of permissions across large, evolving cloud setups is challenging. Seemingly harmless changes can have cascading security consequences.
  • Hidden Risks: Credentials, API keys, or other sensitive information accidentally embedded within code or configuration files pose a significant threat.

Cloud risk management incorporates processes to identify and remediate these risks before they become incidents.

What is the difference between IAM Role vs. IAM PassRole?

  • Standard IAM roles: Grant permissions for specific actions on AWS resources to IAM entities (users, groups, or other roles).
  • IAM PassRole: Grants permission specifically for delegating IAM roles to AWS services. Delegation provides precise control over which entities can grant permissions.

In simpler terms:

  • Standard IAM roles are about what you can do.
  • IAM PassRole is about who can assign those permissions.

Where is IAM PassRole used?

IAM PassRole is often used with AWS CloudFormation.

AWS CloudFormation lets you build your setup (servers, databases, etc.) using code called templates. Sometimes, these templates need permissions the user running them doesn’t have. This can cause the deployment to fail. 

Attaching an IAM role using PassRole gives the permissions needed to do its job. Aligning with DevSecOps Maturity Model (DSOMM) best practices can streamline this process, improving efficiency and mitigating security vulnerabilities in your workflows.

Here’s an example.

  • A user with CloudFormationFullAccess may attempt to execute a template requiring EC2FullAccess and S3FullAccess. 
  • Without IAM:PassRole permission, the user cannot create the stack. 
  • Granting IAM:PassRole allows users to attach a necessary service role to CloudFormation, facilitating successful stack creation.

Here is an IAM policy that grants IAM:PassRole permission.

{
	"Version": "2012-10-17",
	"Statement": [{
  	"Effect": "Allow",
  	"Action": [
    	"iam:GetRole",
    	"iam:PassRole"
  	],
  	"Resource": "arn:aws:iam::<account-id>:role/CloudFormationServiceRole"
	}]
}

In this policy, specifying the exact role instead of using a wildcard (*) in the resource ARN is critical to prevent privilege escalation.

Why Securely Configuring PassRole is Important

Messy IAM PassRole settings are an open invitation for trouble in your AWS setup.  Attackers can sneak in and upgrade their permissions above what they should have. A breach could have widespread consequences if those permissions aren’t carefully restricted to specific AWS Regions or Availability Zones.

Mitigation Strategies

  • Restrict Passable Roles: Limit which roles users can pass around – it helps prevent misuse.
  • Principle of Least Privilege: Keep those permissions super tight. Only grant what’s absolutely needed for each task.
  • Audits: Regular reviews are necessary, but sneaky stuff like hidden secrets can slip through the cracks. If you’re a SaaS, SSPM can augment these audits with continuous monitoring and automated detection of misconfigurations and vulnerabilities.
  • Automation: Let robots handle IAM role creation – less error, and more consistency. Even better, use advanced automation to find and fix those hidden misconfigurations. DSPM solutions often include these automation capabilities for streamlined remediation.

Here’s an example.

Your developer needs limited access to sending emails, right? Sloppy PassRole permissions could let attackers upgrade themselves to full AdministratorAccess on that EC2 instance. 

 "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:iam::<account-id>:role/SESEmailSendingRole"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Step-by-Step Guide to Setting Up Secure IAM PassRole

Creating and setting up IAM PassRole is straightforward. Here’s a detailed guide to help you through the process.

Step 1 – Sign in to the AWS Management Console

First, sign in to the AWS Management Console and navigate to the IAM service.

Step 2 – Create a New Role

Select Roles on the left-hand side menu and click Create role.

Create a New Role Tutorial 1

Select the service using this role (e.g., EC2) and click Next.

Create a New Role Tutorial 2

Search for and select the policies you want to attach to the role. Follow the principle of least privilege and attach only the permissions necessary for the role to function correctly. Once you’ve done this, click Next.

Create a New Role Tutorial 3

Review the role settings and permissions. If everything looks good, click Create role.  You’ll then have created your role with the specified trust relationship and attached policies.

Create a New Role Tutorial 4

Step 3 – Update Trust Relationship 

By default, AWS sets the trust relationship for you. However, if you need to modify it, go to the Trust relationships tab of your role, click Edit trust policy, and update the policy document accordingly.

Update Trust Relationship Tutorial 1
{
 "Version": "2012-10-17",
 "Statement": {
	"Effect": "Allow",
	"Principal": {
      "Service": "ec2.amazonaws.com"
     },
	"Action": "sts:AssumeRole"
 }
}

Step 4 – Create/Edit an IAM Policy for PassRole

Select the Policies tab on the left-hand sidebar on the IAM dashboard and click the Create policy button.

Create or Edit an IAM Policy for PassRole Tutorial 1

Go to the JSON tab. Enter the following policy (replace role-arn with the actual ARN of the role you created):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::074152649875:role/EC2Role"
    }
  ]
}

Review the policy settings, and if everything looks good, click Create policy.

Create or Edit an IAM Policy for PassRole Tutorial 2

Step 5 – Attach Policy to IAM User/Group/Role

To attach the policy to an IAM user, click Users in the IAM dashboard and select the user who needs to pass the role.

Attach Policy to IAM User, Group, or Role Tutorial 1

Click Add permissions and choose the Attach policies option. Then, search for your created policy and select it.

Attach Policy to IAM User, Group, or Role Tutorial 2

Finally, click the Add permission button to save the policy assignment.

Step 6 – Troubleshooting Common Setup Issues

How to test Role functionality: 

SSH into the instance and use the AWS CLI to test assuming the role.

aws sts assume-role --role-arn <role-arn> --role-session-name TestSession

This command should return a JSON object with temporary security credentials (Access Key ID, Secret Access Key, Session Token).

How to validate Role Permissions:

Extract and export the temporary credentials from the JSON response. You can do this manually or by using command-line tools like jq. Set these credentials as environment variables:

export AWS_ACCESS_KEY_ID=<Temporary Access Key ID>
export AWS_SECRET_ACCESS_KEY=<Temporary Secret Access Key>
export AWS_SESSION_TOKEN=<Temporary Session Token>

Now, using these temporary credentials, test the permissions granted by the role. For instance, if the role is supposed to grant read-only access to S3, you can list the S3 buckets:

aws s3 ls

4 Ways to Monitor and Audit PassRole Activities

Monitoring and auditing PassRole activities are crucial for ensuring security compliance within AWS. Using tools like AWS CloudTrail, you can track API calls from IAM users, federated users, and AWS services. This log provides insights into who, when, and the permissions involved during each session.

1. Enable AWS CloudTrail Logging

AWS enables CloudTrail by default, but you can customize it with specific configurations.

Here’s an example AWS CLI command to create a new trail:

aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-cloudtrail-logs

This command creates a trail named ‘MyTrail’ that stores logs in an S3 bucket my-cloudtrail-logs.

2. Set Up Amazon CloudWatch Alarms

You can set up a CloudWatch alarm to monitor specific CloudTrail metrics. Here’s an example AWS CLI command to create an alarm:

aws cloudwatch put-metric-alarm --alarm-name "PassRoleActivityAlarm" --metric-name "EventCount" --namespace "CloudTrailMetrics" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanThreshold --evaluation-periods 1 --dimensions Name=EventName,Value=PassRole Name=ResourceType,Value=AWS::IAM::Role --alarm-actions arn:aws:sns:region:account-id:my-sns-topic

This command triggers an alarm if the ‘PassRole’ event occurs more than once in five minutes.

3. Regular IAM Policy and Role Audits

You can use AWS CLI commands to list policies and roles. For regular audits. Here’s an example to list all IAM policies:

aws iam list-policies --scope Local

And to list roles:

aws iam list-roles

4. Use Third-Party Tools

Consider tools like Prowler and Cloud Custodian for an additional layer of scanning, particularly for vulnerabilities related to privilege escalation in AWS.

IAM PassRole is Powerful – Secure it Accordingly

IAM PassRole lets you get super specific about permissions, which is fantastic for AWS security. But those settings can get messy. And as your cloud setup gets bigger, it’s too easy to miss those little permission slip-ups that attackers love. 

Spectral makes this process dramatically easier. The platform continuously scans your environment using advanced automation, flagging potential issues like overly broad PassRole permissions and many other configuration risks. Simplify your cloud security with Spectral. Get started in minutes.

Related articles

top 12 open source security solutions

Top 12 Open Source Code Security Tools

Open source software is everywhere. From your server to your fitness band. And it’s only becoming more common as over 90% of developers acknowledge using open

top 10 java vulnerabilities

Top 10 Most Common Java Vulnerabilities You Need to Prevent

It’s easy to think that our code is secure. Vulnerabilities or potential exploits are often the things we think about last. Most of the time, our

6 steps to a data breach response plan

6 Steps to Developing a Data Breach Response Plan

Experiencing a data breach is never pleasant. Just ask any of the hundreds of businesses that suffered a data breach in the past year, exposing billions

Stop leaks at the source!