Skip to content

Instantly share code, notes, and snippets.

@noamsdahan

noamsdahan/passrole_actions_and_parameters.csv

Last active April 19, 2024 05:54
Show Gist options
  • Save noamsdahan/928aafbcca71f95b07472f22e35dc93c to your computer and use it in GitHub Desktop.
Save noamsdahan/928aafbcca71f95b07472f22e35dc93c to your computer and use it in GitHub Desktop.
Download ZIP
A list of IAM actions which require iam:PassRole as of December 2020. Nested parameters are written with dot ('.') notation. Where there are multiple relevant parameters, they are separated by the pipe character ('|'). consult the AWS documentation on special cases - noted with an asterisk (most of them are "array of documents" type parameters).…
Raw
passrole_actions_and_parameters.csv
IAM Permission Params
amplify:CreateApp iamServiceRoleArn
amplify:UpdateApp iamServiceRoleArn
appconfig:CreateConfigurationProfile RetrievalRoleArn
appconfig:UpdateConfigurationProfile RetrievalRoleArn
appflow:CreateConnectorProfile connectorProfileConfig.connectorProfileProperties.Redshift.roleArn
appflow:UpdateConnectorProfile connectorProfileConfig.connectorProfileProperties.Redshift.roleArn
application-autoscaling:RegisterScalableTarget RoleARN
apprunner:CreateService SourceConfiguration.AuthenticationConfiguration.AccessRoleArn|InstanceConfiguration.InstanceRoleArn
apprunner:UpdateService SourceConfiguration.AuthenticationConfiguration.AccessRoleArn|InstanceConfiguration.InstanceRoleArn
appstream2:CreateFleet IamRoleArn
appstream2:CreateImageBuilder IamRoleArn
appstream2:UpdateFleet IamRoleArn
appsync:CreateDataSource serviceRoleArn|httpConfig.authorizationConfig.awsIamConfig.signingRegion|httpConfig.authorizationConfig.awsIamConfig.signingServiceName
appsync:CreateGraphqlApi logConfig.cloudWatchLogsRoleArn
appsync:UpdateDataSource serviceRoleArn|httpConfig.authorizationConfig.awsIamConfig.signingRegion|httpConfig.authorizationConfig.awsIamConfig.signingServiceName
appsync:UpdateGraphqlApi logConfig.cloudWatchLogsRoleArn
autoscaling:CreateAutoScalingGroup LaunchConfigurationName|LaunchTemplate.LaunchTemplateId|LaunchTemplate.LaunchTemplateName|LaunchTemplate.Version|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.LaunchTemplateId|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.LaunchTemplateName|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.Version|MixedInstancesPolicy.LaunchTemplate.Overrides|ServiceLinkedRoleARN|LifeCycleHookSpecification.RoleARN
autoscaling:CreateLaunchConfiguration LaunchConfigurationName|IamInstanceProfile
autoscaling:PutLifecycleHook RoleARN
autoscaling:UpdateAutoScalingGroup LaunchConfigurationName|LaunchTemplate.LaunchTemplateId|LaunchTemplate.LaunchTemplateName|LaunchTemplate.Version|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.LaunchTemplateId|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.LaunchTemplateName|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.Version|MixedInstancesPolicy.LaunchTemplate.Overrides|ServiceLinkedRoleARN|LifeCycleHookSpecification.RoleARN
backup:CreateBackupSelection BackupSelection.IamRoleArn
backup:StartBackupJob IamRoleArn
backup:StartCopyJob IamRoleArn
backup:StartRestoreJob IamRoleArn
batch:CreateComputeEnvironment computeResources.instanceRole|computeResources.spotIamFleetRole|computeResources.launchTemplate.launchTemplateId|computeResources.launchTemplate.launchTemplateName|computeResources.launchTemplate.version|serviceRole
batch:RegisterJobDefinition containerProperties.jobRoleArn|containerProperties.executionRoleArn
batch:UpdateComputeEnvironment serviceRole
budgets:CreateBudgetAction Definition.IamActionDefinition.PolicyArn|Definition.IamActionDefinition.Roles|Definition.IamActionDefinition.Groups|Definition.IamActionDefinition.Users|ExecutionRoleArn
budgets:UpdateBudgetAction Definition.IamActionDefinition.PolicyArn|Definition.IamActionDefinition.Roles|Definition.IamActionDefinition.Groups|Definition.IamActionDefinition.Users|ExecutionRoleArn
cloudformation:ContinueUpdateRollback RoleARN
cloudformation:CreateChangeSet RoleARN
cloudformation:CreateStack RoleARN
cloudformation:CreateStackInstances ParameterOverrides*
cloudformation:CreateStackSet AdministrationRoleARN|ExecutionRoleName
cloudformation:EstimateTemplateCost ParameterOverrides*
cloudformation:RegisterType LoggingConfig.LogRoleArn|ExecutionRoleArn
cloudformation:UpdateStack RoleARN
cloudformation:UpdateStackInstances ParameterOverrides*
cloudformation:UpdateStackSet AdministrationRoleARN|ExecutionRoleName
cloudtrail:CreateTrail CloudWatchLogsRoleArn
cloudtrail:UpdateTrail CloudWatchLogsRoleArn
codebuild:CreateProject serviceRole|buildBatchConfig.serviceRole
codebuild:StartBuild serviceRoleOverride
codebuild:StartBuildBatch serviceRoleOverride|buildBatchConfigOverride.serviceRole
codebuild:UpdateProject serviceRole|buildBatchConfig.serviceRole
codedeploy:CreateDeploymentGroup serviceRoleArn
codedeploy:UpdateDeploymentGroup serviceRoleArn
codepipeline:CreatePipeline pipeline.roleArn
codepipeline:UpdatePipeline pipeline.roleArn
codestar:CreateProject toolchain.roleArn
cognito-identity:SetIdentityPoolRoles Roles|RoleMappings
cognito-idp:CreateGroup RoleArn
cognito-idp:CreateUserImportJob CloudWatchLogsRoleArn
cognito-idp:CreateUserPoolClient AnalyticsConfiguration.RoleArn
cognito-idp:UpdateGroup RoleArn
cognito-idp:UpdateUserPoolClient AnalyticsConfiguration.RoleArn
cognito-sync:SetIdentityPoolConfiguration PushSync.RoleArn|CognitoStreams.RoleArn
comprehend:CreateDocumentClassifier DataAccessRoleArn
comprehend:CreateEntityRecognizer DataAccessRoleArn
comprehend:StartDocumentClassificationJob DataAccessRoleArn
comprehend:StartDominantLanguageDetectionJob DataAccessRoleArn
comprehend:StartEntitiesDetectionJob DataAccessRoleArn
comprehend:StartEventsDetectionJob DataAccessRoleArn
comprehend:StartKeyPhrasesDetectionJob DataAccessRoleArn
comprehend:StartPiiEntitiesDetectionJob DataAccessRoleArn
comprehend:StartSentimentDetectionJob DataAccessRoleArn
comprehend:StartTopicsDetectionJob DataAccessRoleArn
config:PutConfigurationAggregator OrganizationAggregationSource.RoleArn
config:PutConfigurationRecorder ConfigurationRecorder.roleARN
datapipeline:PutPipelineDefinition pipelineObjects.fields*
datapipeline:ValidatePipelineDefinition pipelineObjects.fields*
datasync:CreateLocationS3 S3Config.BucketAccessRoleArn
dax:CreateCluster IamRoleArn
dlm:CreateLifecyclePolicy ExecutionRoleArn
dlm:UpdateLifecyclePolicy ExecutionRoleArn
dms:CreateEndpoint ServiceAccessRoleArn|DynamoDbSettings.ServiceAccessRoleArn|S3Settings.ServiceAccessRoleArn|DmsTransferSettings.ServiceAccessRoleArn|KinesisSettings.ServiceAccessRoleArn|ElasticsearchSettings.ServiceAccessRoleArn|NeptuneSettings.ServiceAccessRoleArn|NeptuneSettings.IamAuthEnabled|RedshiftSettings.ServiceAccessRoleArn
dms:ModifyEndpoint ServiceAccessRoleArn|DynamoDbSettings.ServiceAccessRoleArn|S3Settings.ServiceAccessRoleArn|DmsTransferSettings.ServiceAccessRoleArn|KinesisSettings.ServiceAccessRoleArn|ElasticsearchSettings.ServiceAccessRoleArn|NeptuneSettings.ServiceAccessRoleArn|NeptuneSettings.IamAuthEnabled|RedshiftSettings.ServiceAccessRoleArn
dynamodb:UpdateGlobalTableSettings GlobalTableProvisionedWriteCapacityAutoScalingSettingsUpdate.AutoScalingRoleArn
dynamodb:UpdateTableReplicaAutoScaling ProvisionedWriteCapacityAutoScalingUpdate.AutoScalingRoleArn
ec2:AssociateIamInstanceProfile IamInstanceProfile.Arn|IamInstanceProfile.Name
ec2:CreateFleet LaunchTemplateConfigs
ec2:CreateFlowLogs DeliverLogsPermissionArn
ec2:ModifyFleet LaunchTemplateConfigs
ec2:ModifySpotFleetRequest LaunchTemplateConfigs
ec2:ReplaceIamInstanceProfileAssociation IamInstanceProfile.Arn|IamInstanceProfile.Name
ec2:RequestSpotFleet SpotFleetRequestConfig.IamFleetRole|SpotFleetRequestConfig.LaunchTemplateConfigs
ec2:RequestSpotInstances LaunchSpecification.IamInstanceProfile.Arn|LaunchSpecification.IamInstanceProfile.Name
ec2:RunInstances IamInstanceProfile.Arn|IamInstanceProfile.Name|LaunchTemplate.LaunchTemplateId|LaunchTemplate.LaunchTemplateName|LaunchTemplate.Version
ec2:RunScheduledInstances LaunchSpecification.IamInstanceProfile.Arn|LaunchSpecification.IamInstanceProfile.Name
ecs:CreateService taskDefinition|role
ecs:CreateTaskSet taskDefinition
ecs:RegisterTaskDefinition taskRoleArn|executionRoleArn
ecs:RunTask overrides.executionRoleArn|overrides.taskRoleArn|taskDefinition
ecs:StartTask overrides.executionRoleArn|overrides.taskRoleArn|taskDefinition
eks:CreateCluster roleArn
eks:CreateFargateProfile podExecutionRoleArn
eks:CreateNodegroup nodeRole|launchTemplate.name|launchTemplate.version|launchTemplate.id
elasticbeanstalk:AssociateEnvironmentOperationsRole OperationsRole
elasticbeanstalk:CreateApplication ResourceLifecycleConfig.ServiceRole
elasticbeanstalk:CreateApplicationVersion BuildConfiguration.CodeBuildServiceRole
elasticbeanstalk:CreateEnvironment TemplateName|OperationsRole
elasticbeanstalk:UpdateApplicationResourceLifecycle ResourceLifecycleConfig.ServiceRole
elasticbeanstalk:UpdateConfigurationTemplate TemplateName
elasticbeanstalk:UpdateEnvironment TemplateName
elasticmapreduce:RunJobFlow JobFlowRole|ServiceRole|AutoScalingRole
elastictranscoder:CreatePipeline Role
elastictranscoder:TestRole Role
elastictranscoder:UpdatePipeline Role
es:CreateElasticsearchDomain CognitoOptions.RoleArn|AdvancedSecurityOptions.SAMLOptions.MasterBackendRole|AdvancedSecurityOptions.SAMLOptions.RolesKey
es:UpdateElasticsearchDomainConfig CognitoOptions.RoleArn|AdvancedSecurityOptions.SAMLOptions.MasterBackendRole|AdvancedSecurityOptions.SAMLOptions.RolesKey
events:PutRule RoleArn
firehose:CreateDeliveryStream KinesisStreamSourceConfiguration.RoleARN|S3DestinationConfiguration.RoleARN|ExtendedS3DestinationConfiguration.RoleARN|ExtendedS3DestinationConfiguration.S3BackupConfiguration.RoleARN|ExtendedS3DestinationConfiguration.DataFormatConversionConfiguration.SchemaConfiguration.RoleARN|RedshiftDestinationConfiguration.RoleARN|RedshiftDestinationConfiguration.S3Configuration.RoleARN|RedshiftDestinationConfiguration.S3BackupConfiguration.RoleARN|ElasticsearchDestinationConfiguration.RoleARN|ElasticsearchDestinationConfiguration.S3Configuration.RoleARN|ElasticsearchDestinationConfiguration.VpcConfiguration.RoleARN|SplunkDestinationConfiguration.S3Configuration.RoleARN
firehose:UpdateDestination S3DestinationUpdate.RoleARN|ExtendedS3DestinationUpdate.RoleARN|ExtendedS3DestinationUpdate.S3BackupUpdate.RoleARN|ExtendedS3DestinationUpdate.DataFormatConversionConfiguration.SchemaConfiguration.RoleARN|RedshiftDestinationUpdate.RoleARN|RedshiftDestinationUpdate.S3Update.RoleARN|RedshiftDestinationUpdate.S3BackupUpdate.RoleARN|ElasticsearchDestinationUpdate.RoleARN|ElasticsearchDestinationUpdate.S3Update.RoleARN|SplunkDestinationUpdate.S3Update.RoleARN|HttpEndpointDestinationUpdate.RoleARN|HttpEndpointDestinationUpdate.S3Update.RoleARN
fms:PutNotificationChannel SnsRoleName
forecast:CreateDataset EncryptionConfig.RoleArn
forecast:CreateDatasetImportJob DataSource.S3Config.RoleArn
forecast:CreateForecastExportJob Destination.S3Config.RoleArn
forecast:CreatePredictor EncryptionConfig.RoleArn
frauddetector:CreateModelVersion externalEventsDetail.dataAccessRoleArn
frauddetector:PutExternalModel invokeModelEndpointRoleArn
frauddetector:UpdateModelVersion externalEventsDetail.dataAccessRoleArn
gamelift:CreateBuild StorageLocation.RoleArn
gamelift:CreateFleet InstanceRoleArn
gamelift:CreateGameServerGroup RoleArn|LaunchTemplate.LaunchTemplateId|LaunchTemplate.LaunchTemplateName|LaunchTemplate.Version
gamelift:CreateScript StorageLocation.RoleArn
gamelift:UpdateGameServerGroup RoleArn
gamelift:UpdateScript StorageLocation.RoleArn
glue:CreateCrawler Role
glue:CreateDevEndpoint RoleArn
glue:CreateJob Role
glue:CreateMLTransform Role
glue:UpdateCrawler Role
glue:UpdateJob JobUpdate.Role
glue:UpdateMLTransform Role
greengrass:AssociateRoleToGroup RoleArn
greengrass:AssociateServiceRoleToAccount RoleArn
greengrass:CreateSoftwareUpdateJob S3UrlSignerRole
greengrass:StartBulkDeployment ExecutionRoleArn
iam:AddRoleToInstanceProfile InstanceProfileName|RoleName
imagebuilder:CreateInfrastructureConfiguration instanceProfileName
imagebuilder:UpdateInfrastructureConfiguration instanceProfileName
inspector:RegisterCrossAccountAccessRole roleArn
iot:CreateAuditSuppression resourceIdentifier.iamRoleArn|resourceIdentifier.roleAliasArn
iot:CreateJob presignedUrlConfig.roleArn
iot:CreateMitigationAction roleArn|actionParams.enableIoTLoggingParams.roleArnForLogging
iot:CreateOTAUpdate roleArn
iot:CreateRoleAlias roleAlias|roleArn
iot:CreateStream roleArn
iot:CreateTopicRule topicRulePayload.errorAction.dynamoDB.roleArn|topicRulePayload.errorAction.dynamoDBv2.roleArn|topicRulePayload.errorAction.sns.roleArn|topicRulePayload.errorAction.sqs.roleArn|topicRulePayload.errorAction.kinesis.roleArn|topicRulePayload.errorAction.republish.roleArn|topicRulePayload.errorAction.s3.roleArn|topicRulePayload.errorAction.firehose.roleArn|topicRulePayload.errorAction.cloudwatchMetric.roleArn|topicRulePayload.errorAction.cloudwatchAlarm.roleArn|topicRulePayload.errorAction.cloudwatchLogs.roleArn|topicRulePayload.errorAction.elasticsearch.roleArn
iot:RegisterCACertificate registrationConfig.roleArn
iot:ReplaceTopicRule topicRulePayload.errorAction.dynamoDB.roleArn|topicRulePayload.errorAction.dynamoDBv2.roleArn|topicRulePayload.errorAction.sns.roleArn|topicRulePayload.errorAction.sqs.roleArn|topicRulePayload.errorAction.kinesis.roleArn|topicRulePayload.errorAction.republish.roleArn|topicRulePayload.errorAction.s3.roleArn|topicRulePayload.errorAction.firehose.roleArn|topicRulePayload.errorAction.cloudwatchMetric.roleArn|topicRulePayload.errorAction.cloudwatchAlarm.roleArn|topicRulePayload.errorAction.cloudwatchLogs.roleArn|topicRulePayload.errorAction.elasticsearch.roleArn
iot:SetLoggingOptions loggingOptionsPayload.roleArn
iot:SetV2LoggingOptions roleArn
iot:StartThingRegistrationTask roleArn
iot:UpdateAccountAuditConfiguration roleArn
iot:UpdateAuditSuppression resourceIdentifier.iamRoleArn|resourceIdentifier.roleAliasArn
iot:UpdateCACertificate registrationConfig.roleArn
iot:UpdateJob presignedUrlConfig.roleArn
iot:UpdateMitigationAction roleArn|actionParams.enableIoTLoggingParams.roleArnForLogging
iot:UpdateProvisioningTemplate provisioningRoleArn
iot:UpdateRoleAlias roleAlias|roleArn
iot:UpdateStream roleArn
iotanalytics:CreateChannel channelStorage.customerManagedS3.roleArn
iotanalytics:CreateDatastore datastoreStorage.customerManagedS3.roleArn
iotanalytics:PutLoggingOptions loggingOptions.roleArn
iotanalytics:RunPipelineActivity pipelineActivity.deviceRegistryEnrich.roleArn|pipelineActivity.deviceShadowEnrich.roleArn
iotanalytics:UpdateChannel channelStorage.customerManagedS3.roleArn
iotanalytics:UpdateDatastore datastoreStorage.customerManagedS3.roleArn
iotevents:CreateDetectorModel roleArn
iotevents:PutLoggingOptions loggingOptions.roleArn
iotevents:UpdateDetectorModel roleArn
iotsitewise:CreateAccessPolicy accessPolicyIdentity.iamUser.arn
iotsitewise:CreatePortal roleArn
iotsitewise:UpdateAccessPolicy accessPolicyIdentity.iamUser.arn
iotsitewise:UpdatePortal roleArn
iotthingsgraph:CreateSystemInstance metricsConfiguration.metricRuleRoleArn|flowActionsRoleArn
kendra:BatchPutDocument RoleArn
kendra:CreateDataSource RoleArn
kendra:CreateFaq RoleArn
kendra:CreateIndex RoleArn
kendra:UpdateDataSource RoleArn
kendra:UpdateIndex RoleArn
kinesisanalytics:AddApplicationCloudWatchLoggingOption CloudWatchLoggingOption.RoleARN
kinesisanalytics:AddApplicationInput Input.InputProcessingConfiguration.InputLambdaProcessor.RoleARN|Input.KinesisStreamsInput.RoleARN|Input.KinesisFirehoseInput.RoleARN
kinesisanalytics:AddApplicationInputProcessingConfiguration InputProcessingConfiguration.InputLambdaProcessor.RoleARN
kinesisanalytics:AddApplicationOutput Output.KinesisStreamsOutput.RoleARN|Output.KinesisFirehoseOutput.RoleARN|Output.LambdaOutput.RoleARN
kinesisanalytics:AddApplicationReferenceDataSource ReferenceDataSource.S3ReferenceDataSource.ReferenceRoleARN
kinesisanalytics:DiscoverInputSchema RoleARN|S3Configuration.RoleARN|InputProcessingConfiguration.InputLambdaProcessor.RoleARN
lakeformation:RegisterResource UseServiceLinkedRole|RoleArn
lakeformation:UpdateResource RoleArn
lambda:CreateFunction Role
lambda:UpdateFunctionConfiguration Role
lex:PutBotAlias conversationLogs.iamRoleArn
lex:PutIntent kendraConfiguration.role
logs:PutDestination roleArn
logs:PutSubscriptionFilter roleArn
machinelearning:CreateDataSourceFromRDS RDSData.ResourceRole|RDSData.ServiceRole|RoleARN
machinelearning:CreateDataSourceFromRedshift RoleARN
mediaconnect:CreateFlow Source.Decryption.RoleArn
mediaconnect:UpdateFlowEntitlement Encryption.RoleArn
mediaconnect:UpdateFlowOutput Encryption.RoleArn
mediaconnect:UpdateFlowSource Decryption.RoleArn
mediaconvert:CreateJob Role
medialive:CreateChannel RoleArn
medialive:CreateInput RoleArn
medialive:UpdateChannel RoleArn
medialive:UpdateInput RoleArn
mediapackage-vod:CreateAsset SourceRoleArn
mediapackage-vod:CreatePackagingConfiguration CmafPackage.Encryption.SpekeKeyProvider.RoleArn|DashPackage.Encryption.SpekeKeyProvider.RoleArn|HlsPackage.Encryption.SpekeKeyProvider.RoleArn|MssPackage.Encryption.SpekeKeyProvider.RoleArn
mediapackage-vod:CreatePackagingGroup Authorization.SecretsRoleArn
mediapackage:CreateOriginEndpoint Authorization.SecretsRoleArn|CmafPackage.Encryption.SpekeKeyProvider.RoleArn|DashPackage.Encryption.SpekeKeyProvider.RoleArn|HlsPackage.Encryption.SpekeKeyProvider.RoleArn|MssPackage.Encryption.SpekeKeyProvider.RoleArn
mediapackage:UpdateOriginEndpoint Authorization.SecretsRoleArn|CmafPackage.Encryption.SpekeKeyProvider.RoleArn|DashPackage.Encryption.SpekeKeyProvider.RoleArn|HlsPackage.Encryption.SpekeKeyProvider.RoleArn|MssPackage.Encryption.SpekeKeyProvider.RoleArn
mobiletargeting:CreateExportJob ExportJobRequest.RoleArn
mobiletargeting:CreateImportJob ImportJobRequest.RoleArn
mobiletargeting:CreateRecommenderConfiguration CreateRecommenderConfiguration.RecommendationProviderRoleArn
mobiletargeting:PutEventStream WriteEventStream.RoleArn
mobiletargeting:UpdateEmailChannel EmailChannelRequest.RoleArn
mobiletargeting:UpdateRecommenderConfiguration UpdateRecommenderConfiguration.RecommendationProviderRoleArn
mq:CreateBroker LdapServerMetadata.RoleBase|LdapServerMetadata.RoleName|LdapServerMetadata.RoleSearchMatching|LdapServerMetadata.RoleSearchSubtree|LdapServerMetadata.UserRoleName
mq:UpdateBroker LdapServerMetadata.RoleBase|LdapServerMetadata.RoleName|LdapServerMetadata.RoleSearchMatching|LdapServerMetadata.RoleSearchSubtree|LdapServerMetadata.UserRoleName
opsworks-cm:CreateServer InstanceProfileArn|ServiceRoleArn
opsworks:CloneStack ServiceRoleArn|DefaultInstanceProfileArn
opsworks:CreateLayer CustomInstanceProfileArn
opsworks:CreateStack ServiceRoleArn|DefaultInstanceProfileArn
opsworks:CreateUserProfile IamUserArn
opsworks:DeleteUserProfile IamUserArn
opsworks:UpdateLayer CustomInstanceProfileArn
opsworks:UpdateStack ServiceRoleArn|DefaultInstanceProfileArn
organizations:CreateAccount RoleName|IamUserAccessToBilling
organizations:CreateGovCloudAccount RoleName|IamUserAccessToBilling
personalize:CreateBatchInferenceJob roleArn
personalize:CreateDatasetGroup roleArn
personalize:CreateDatasetImportJob roleArn
qldb:ExportJournalToS3 RoleArn
qldb:StreamJournalToKinesis RoleArn
rds:AddRoleToDBCluster RoleArn
rds:AddRoleToDBInstance RoleArn
rds:CreateDBCluster EnableIAMDatabaseAuthentication|DomainIAMRoleName
rds:CreateDBInstance MonitoringRoleArn|DomainIAMRoleName|EnableIAMDatabaseAuthentication
rds:CreateDBInstanceReadReplica MonitoringRoleArn|EnableIAMDatabaseAuthentication|DomainIAMRoleName
rds:CreateDBProxy RoleArn
rds:ModifyDBCluster EnableIAMDatabaseAuthentication|DomainIAMRoleName
rds:ModifyDBInstance MonitoringRoleArn|DomainIAMRoleName|EnableIAMDatabaseAuthentication
rds:ModifyDBProxy RoleArn
rds:ModifyOptionGroup OptionsToInclude*
rds:RemoveRoleFromDBCluster RoleArn
rds:RemoveRoleFromDBInstance RoleArn
rds:RestoreDBClusterFromS3 EnableIAMDatabaseAuthentication|S3IngestionRoleArn|DomainIAMRoleName
rds:RestoreDBClusterFromSnapshot EnableIAMDatabaseAuthentication|DomainIAMRoleName
rds:RestoreDBClusterToPointInTime EnableIAMDatabaseAuthentication|DomainIAMRoleName
rds:RestoreDBInstanceFromDBSnapshot DomainIAMRoleName|EnableIAMDatabaseAuthentication
rds:RestoreDBInstanceFromS3 MonitoringRoleArn|EnableIAMDatabaseAuthentication|S3IngestionRoleArn
rds:RestoreDBInstanceToPointInTime DomainIAMRoleName|EnableIAMDatabaseAuthentication
rds:StartExportTask IamRoleArn
redshift:CreateCluster IamRoles
redshift:CreateScheduledAction IamRole
redshift:ModifyClusterIamRoles AddIamRoles|RemoveIamRoles
redshift:ModifyScheduledAction IamRole
redshift:RestoreFromClusterSnapshot IamRoles
rekognition:CreateStreamProcessor RoleArn
rekognition:StartCelebrityRecognition NotificationChannel.RoleArn
rekognition:StartContentModeration NotificationChannel.RoleArn
rekognition:StartFaceDetection NotificationChannel.RoleArn
rekognition:StartFaceSearch NotificationChannel.RoleArn
rekognition:StartLabelDetection NotificationChannel.RoleArn
rekognition:StartPersonTracking NotificationChannel.RoleArn
rekognition:StartSegmentDetection NotificationChannel.RoleArn
rekognition:StartTextDetection NotificationChannel.RoleArn
robomaker:CreateSimulationJob iamRole
robomaker:CreateWorldExportJob iamRole
s3-control:CreateJob CreateJobRequest.RoleArn
s3:PutBucketNotification NotificationConfiguration.CloudFunctionConfiguration.InvocationRole
s3:PutBucketReplication Role
sagemaker:CreateAlgorithm ValidationSpecification.ValidationRole
sagemaker:CreateAutoMLJob RoleArn
sagemaker:CreateCompilationJob RoleArn
sagemaker:CreateDomain DefaultUserSettings.ExecutionRole
sagemaker:CreateFlowDefinition RoleArn
sagemaker:CreateHyperParameterTuningJob TrainingJobDefinition.RoleArn
sagemaker:CreateLabelingJob RoleArn
sagemaker:CreateModel ExecutionRoleArn
sagemaker:CreateModelPackage ValidationSpecification.ValidationRole
sagemaker:CreateMonitoringSchedule MonitoringScheduleConfig.MonitoringJobDefinition.RoleArn
sagemaker:CreateNotebookInstance RoleArn
sagemaker:CreateProcessingJob RoleArn
sagemaker:CreateTrainingJob RoleArn
sagemaker:CreateUserProfile UserSettings.ExecutionRole
sagemaker:RenderUiTemplate RoleArn
sagemaker:UpdateDomain DefaultUserSettings.ExecutionRole
sagemaker:UpdateMonitoringSchedule MonitoringScheduleConfig.MonitoringJobDefinition.RoleArn
sagemaker:UpdateNotebookInstance RoleArn
sagemaker:UpdateUserProfile UserSettings.ExecutionRole
securityhub:CreateInsight Filters.ResourceAwsEc2InstanceIamInstanceProfileArn|Filters.ResourceAwsIamAccessKeyUserName|Filters.ResourceAwsIamAccessKeyStatus|Filters.ResourceAwsIamAccessKeyCreatedAt
securityhub:UpdateFindings Filters.ResourceAwsEc2InstanceIamInstanceProfileArn|Filters.ResourceAwsIamAccessKeyUserName|Filters.ResourceAwsIamAccessKeyStatus|Filters.ResourceAwsIamAccessKeyCreatedAt
securityhub:UpdateInsight Filters.ResourceAwsEc2InstanceIamInstanceProfileArn|Filters.ResourceAwsIamAccessKeyUserName|Filters.ResourceAwsIamAccessKeyStatus|Filters.ResourceAwsIamAccessKeyCreatedAt
ses:CreateConfigurationSetEventDestination EventDestination.KinesisFirehoseDestination.IAMRoleARN
ses:UpdateConfigurationSetEventDestination EventDestination.KinesisFirehoseDestination.IAMRoleARN
shield:AssociateDRTRole RoleArn
sms-voice:CreateConfigurationSetEventDestination EventDestination.CloudWatchLogsDestination.IamRoleArn|EventDestination.KinesisFirehoseDestination.IamRoleArn
sms-voice:UpdateConfigurationSetEventDestination EventDestination.CloudWatchLogsDestination.IamRoleArn|EventDestination.KinesisFirehoseDestination.IamRoleArn
sms:CreateApp roleName
sms:CreateReplicationJob roleName
sms:ImportAppCatalog roleName
sms:PutAppLaunchConfiguration roleName|serverGroupLaunchConfigurations
sms:UpdateApp roleName
sms:UpdateReplicationJob roleName
snowball:CreateCluster RoleARN
snowball:CreateJob RoleARN
snowball:UpdateCluster RoleARN
snowball:UpdateJob RoleARN
ssm:CreateActivation IamRole
ssm:CreateDocument [Special case: consult the docs]*
ssm:RegisterTaskWithMaintenanceWindow ServiceRoleArn|TaskInvocationParameters.RunCommand.ServiceRoleArn
ssm:SendCommand ServiceRoleArn
ssm:UpdateMaintenanceWindowTask ServiceRoleArn|TaskInvocationParameters.RunCommand.ServiceRoleArn
ssm:UpdateManagedInstanceRole IamRole
states:CreateStateMachine roleArn
states:UpdateStateMachine roleArn
storagegateway:CreateNFSFileShare Role
storagegateway:CreateSMBFileShare Role
swf:RegisterWorkflowType defaultLambdaRole
swf:StartWorkflowExecution lambdaRole
synthetics:CreateCanary ExecutionRoleArn
synthetics:UpdateCanary ExecutionRoleArn
transfer:CreateServer IdentityProviderDetails.InvocationRole|LoggingRole
transfer:CreateUser Role
transfer:UpdateServer LoggingRole|IdentityProviderDetails.InvocationRole
transfer:UpdateUser Role
translate:StartTextTranslationJob DataAccessRoleArn
workmail:StartMailboxExportJob RoleArn
@noamsdahan
Copy link
Author

noamsdahan commented Mar 7, 2021
edited
Loading

Details on research: https://ermetic.com/whats-new/blog/auditing-passrole-a-problematic-privilege-escalation-permission/

@tvb
Copy link

tvb commented Jan 31, 2022

@noamsdahan where is vpc-flow-logs in this list?

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-iam-user

@noamsdahan
Copy link
Author

line 83 (as of posting), ec2:CreateFlowLogs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment