Understand IAM PassRole to Secure your AWS Infrastructure

Understand IAM PassRole to Secure your AWS Infrastructure
Sharing is Caring:

It’s a very common practice to pass a role to AWS service to allow them to perform task on your behalf.

Service can assume the passed role and perform all the task permitted by the role. Sounds easy and convenient- Right? 🙂

Now imagine a situation!!!

A normal user(with limited access) creates an Admin role and passes the role to an EC2 instance.

What do you think will happen?

Escalation of Privilege ?? or any error?

Well, that depends upon whether the use has PassRole permission to pass the Admin role to instance.

Now, what’s IAM PassRole?

Let’s find out…

What is IAM PassRole?

First of all tell me, what do you think about the Action – iam:PassRole in below code snippet?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"arn:aws:iam::123456789012:role/EC2Role"
    }
  ]
}

Well, usually an action in a policy document always maps one to one to an API call.

But surprise surprise !!!

iam:PassRole is not an action or API call. You can confirm this checking IAM API documentation.

That’s confusing enough.

What’s it then?

Basically, IAM PassRole is the permission that controls which users can delegate an IAM role to an AWS resource.

To pass a role (and its permissions) to an AWS service, a user must have iam:PassRole permission assigned to user’s IAM user, role or group.

Let’s understand this by our analogy.

Bob -> IAM User

EC2Role- Service Role Which can be assumed by an EC2 instance

Bob -> Passes EC2Role to EC2 Service when launching an instance (Pass Role)

Now, the service(EC2) checks if Bob has the permission to pass this role to EC2 instance.

If yes, instance is launched with that role successfully, If no, an error will be thrown like below.

User: arn:aws:iam::123456789012:user/Bob is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789012:role/EC2Role

In short, Bob must have IAM PassRole Permission for EC2Role to pass the role EC2 service like below.

{
  "Version": "2012-10-17",
  "Statement": [
{
      "Effect":"Allow",
      "Action":["ec2:*"],
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"arn:aws:iam::123456789012:role/EC2Role"
    }
  ]
}

Why iam:PassRole Permission is important?

Simple answer is, Because it’s an additional layer of security to avoid escalation of privilege attack.

In other words, it helps administrators ensure that only approved users can configure a service with a role that grants permissions.

Let’s comeback to the question I asked in the beginning.

Suppose you are a user who has only limited permission. you create an Administrator role and assign it to a EC2.

If there wouldn’t have been concept of iam:PassRole, you can successfully pass the role to EC2 .

That way you can perform all the admin action you are otherwise not allowed to do.

But all thanks to PassRole, you can’t do that if you don’t have explicit permission to pass the admin role to EC2.

Making iam:PassRole More Restrictive

In many of the cases, although I see people using iam:PassRole permission. But they tend to give “*” in resource like below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"*"
    }
  ]
}

Why?

Because, it’s the easiest thing to do.

What does above permission mean?

It means that this principle(user) is allowed to pass any role to any AWS Service.

If this users’s credential is compromised, It will allow attackers to create any role they want and assign it to any service to perform any malicious task that they want.

Solution:

Always be specific and follow the principle of least privilege like specify the specific role that you want user to pass on.

Conclusion:

To sum up what we learnt in this post-

  • To pass a role to an AWS service, a user must have iam:PassRole permission.
  • We also learnt why it is important
  • Finally we learnt that using PassRole correctly can help us protect against escalation of privilege attack.

Enjoyed the content?

Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.

Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.

I hope this post was useful to you.

If you liked my post, Please motivate me and help me get better by –

Please share your feedback and help us get better with time 🙂

Suggested Read:

Sharing is Caring:

One thought on “Understand IAM PassRole to Secure your AWS Infrastructure

Leave a Reply

Your email address will not be published. Required fields are marked *