Deep Dive into IAM PassRole

In-depth explanation of IAM PassRole

As an AWS security best practice, it's best to have narrow-scoped IAM policies so that users are only authorized to perform actions on the resources they expect. This is even more important when you plan to authorize users to run some code in AWS services (for example, in a lambda function to access other resources). In this case, IAM provides a way to standardize the roles that authorized users can grant to AWS services: IAM PassRole

Suppose we have the following scenario

1. Alice is an administrator of an AWS account.
   2.Bob is an authorized user of the same AWS account.
2. Alice plans to allow Bob to manage a lambda function that reads/writes data in the S3 bucket.
3. Alice needs to provide Bob with a set of IAM permissions so that Bob:
   Have sufficient permissions to properly manage lambda functions.
4. Not getting enough permissions.

The simplest solution

1. Alice grants Bob permission to create/modify/call a lambda function.
2. With the given permissions, Bob writes his lambda function code to perform read/write in some S3 bucket.
3. With the given permissions, Bob configures his lambda function with an execution role so that it has read/write permissions in the S3 bucket.
4. With the given permissions, Bob calls his lambda function and successfully reads/writes in the S3 bucket.

Note that Bob needs to configure an execution role for his lambda function. This is how lambda functions can access other resources, and things can get out of hand

Permission Control Vulnerability

1. Alice grants Bob permission to create/modify/call a lambda function.
2. With the given permissions, Bob writes his lambda function code to read a sensitive DDB table that does not belong to him.
3. With the given permissions, Bob configures his lambda function with an execution role so that it has permission to read from sensitive DDB tables that do not belong to him.
4. With the given permissions, Bob calls his lambda function and steals sensitive data.

Because Bob is authorized to create/modify a certain lambda function, even if Bob himself is not authorized to read from the sensitive DDB table, he can use his lambda function to gain additional access to sensitive data in that AWS account. The lambda function gets this access from its execution role (configured by Bob).

Introducing IAM PassRole

In the AWS documentation, the IAM PassRole permission is explicitly called as needed to grant fine-grained access to manage lambda functions. In fact, IAM blocks and fails creation of lambda functions for users by default unless the account owner explicitly grants this permission or full administrator permissions.