noamsdahan/passrole_actions_and_parameters.csv

Last active August 26, 2025 21:57

Star (36) You must be signed in to star a gist
Fork (5) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c.js"></script>
Save noamsdahan/928aafbcca71f95b07472f22e35dc93c to your computer and use it in GitHub Desktop.

Download ZIP

A list of IAM actions which require iam:PassRole as of December 2020. Nested parameters are written with dot ('.') notation. Where there are multiple relevant parameters, they are separated by the pipe character ('|'). consult the AWS documentation on special cases - noted with an asterisk (most of them are "array of documents" type parameters).…

Raw

passrole_actions_and_parameters.csv

	IAM Permission	Params
	amplify:CreateApp	iamServiceRoleArn
	amplify:UpdateApp	iamServiceRoleArn
	appconfig:CreateConfigurationProfile	RetrievalRoleArn
	appconfig:UpdateConfigurationProfile	RetrievalRoleArn
	appflow:CreateConnectorProfile	connectorProfileConfig.connectorProfileProperties.Redshift.roleArn
	appflow:UpdateConnectorProfile	connectorProfileConfig.connectorProfileProperties.Redshift.roleArn
	application-autoscaling:RegisterScalableTarget	RoleARN
	apprunner:CreateService	SourceConfiguration.AuthenticationConfiguration.AccessRoleArn\|InstanceConfiguration.InstanceRoleArn
	apprunner:UpdateService	SourceConfiguration.AuthenticationConfiguration.AccessRoleArn\|InstanceConfiguration.InstanceRoleArn
	appstream2:CreateFleet	IamRoleArn
	appstream2:CreateImageBuilder	IamRoleArn
	appstream2:UpdateFleet	IamRoleArn
	appsync:CreateDataSource	serviceRoleArn\|httpConfig.authorizationConfig.awsIamConfig.signingRegion\|httpConfig.authorizationConfig.awsIamConfig.signingServiceName
	appsync:CreateGraphqlApi	logConfig.cloudWatchLogsRoleArn
	appsync:UpdateDataSource	serviceRoleArn\|httpConfig.authorizationConfig.awsIamConfig.signingRegion\|httpConfig.authorizationConfig.awsIamConfig.signingServiceName
	appsync:UpdateGraphqlApi	logConfig.cloudWatchLogsRoleArn
	autoscaling:CreateAutoScalingGroup	LaunchConfigurationName\|LaunchTemplate.LaunchTemplateId\|LaunchTemplate.LaunchTemplateName\|LaunchTemplate.Version\|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.LaunchTemplateId\|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.LaunchTemplateName\|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.Version\|MixedInstancesPolicy.LaunchTemplate.Overrides\|ServiceLinkedRoleARN\|LifeCycleHookSpecification.RoleARN
	autoscaling:CreateLaunchConfiguration	LaunchConfigurationName\|IamInstanceProfile
	autoscaling:PutLifecycleHook	RoleARN
	autoscaling:UpdateAutoScalingGroup	LaunchConfigurationName\|LaunchTemplate.LaunchTemplateId\|LaunchTemplate.LaunchTemplateName\|LaunchTemplate.Version\|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.LaunchTemplateId\|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.LaunchTemplateName\|MixedInstancesPolicy.LaunchTemplate.LaunchTemplateSpecification.Version\|MixedInstancesPolicy.LaunchTemplate.Overrides\|ServiceLinkedRoleARN\|LifeCycleHookSpecification.RoleARN
	backup:CreateBackupSelection	BackupSelection.IamRoleArn
	backup:StartBackupJob	IamRoleArn
	backup:StartCopyJob	IamRoleArn
	backup:StartRestoreJob	IamRoleArn
	batch:CreateComputeEnvironment	computeResources.instanceRole\|computeResources.spotIamFleetRole\|computeResources.launchTemplate.launchTemplateId\|computeResources.launchTemplate.launchTemplateName\|computeResources.launchTemplate.version\|serviceRole
	batch:RegisterJobDefinition	containerProperties.jobRoleArn\|containerProperties.executionRoleArn
	batch:UpdateComputeEnvironment	serviceRole
	budgets:CreateBudgetAction	Definition.IamActionDefinition.PolicyArn\|Definition.IamActionDefinition.Roles\|Definition.IamActionDefinition.Groups\|Definition.IamActionDefinition.Users\|ExecutionRoleArn
	budgets:UpdateBudgetAction	Definition.IamActionDefinition.PolicyArn\|Definition.IamActionDefinition.Roles\|Definition.IamActionDefinition.Groups\|Definition.IamActionDefinition.Users\|ExecutionRoleArn
	cloudformation:ContinueUpdateRollback	RoleARN
	cloudformation:CreateChangeSet	RoleARN
	cloudformation:CreateStack	RoleARN
	cloudformation:CreateStackInstances	ParameterOverrides*
	cloudformation:CreateStackSet	AdministrationRoleARN\|ExecutionRoleName
	cloudformation:EstimateTemplateCost	ParameterOverrides*
	cloudformation:RegisterType	LoggingConfig.LogRoleArn\|ExecutionRoleArn
	cloudformation:UpdateStack	RoleARN
	cloudformation:UpdateStackInstances	ParameterOverrides*
	cloudformation:UpdateStackSet	AdministrationRoleARN\|ExecutionRoleName
	cloudtrail:CreateTrail	CloudWatchLogsRoleArn
	cloudtrail:UpdateTrail	CloudWatchLogsRoleArn
	codebuild:CreateProject	serviceRole\|buildBatchConfig.serviceRole
	codebuild:StartBuild	serviceRoleOverride
	codebuild:StartBuildBatch	serviceRoleOverride\|buildBatchConfigOverride.serviceRole
	codebuild:UpdateProject	serviceRole\|buildBatchConfig.serviceRole
	codedeploy:CreateDeploymentGroup	serviceRoleArn
	codedeploy:UpdateDeploymentGroup	serviceRoleArn
	codepipeline:CreatePipeline	pipeline.roleArn
	codepipeline:UpdatePipeline	pipeline.roleArn
	codestar:CreateProject	toolchain.roleArn
	cognito-identity:SetIdentityPoolRoles	Roles\|RoleMappings
	cognito-idp:CreateGroup	RoleArn
	cognito-idp:CreateUserImportJob	CloudWatchLogsRoleArn
	cognito-idp:CreateUserPoolClient	AnalyticsConfiguration.RoleArn
	cognito-idp:UpdateGroup	RoleArn
	cognito-idp:UpdateUserPoolClient	AnalyticsConfiguration.RoleArn
	cognito-sync:SetIdentityPoolConfiguration	PushSync.RoleArn\|CognitoStreams.RoleArn
	comprehend:CreateDocumentClassifier	DataAccessRoleArn
	comprehend:CreateEntityRecognizer	DataAccessRoleArn
	comprehend:StartDocumentClassificationJob	DataAccessRoleArn
	comprehend:StartDominantLanguageDetectionJob	DataAccessRoleArn
	comprehend:StartEntitiesDetectionJob	DataAccessRoleArn
	comprehend:StartEventsDetectionJob	DataAccessRoleArn
	comprehend:StartKeyPhrasesDetectionJob	DataAccessRoleArn
	comprehend:StartPiiEntitiesDetectionJob	DataAccessRoleArn
	comprehend:StartSentimentDetectionJob	DataAccessRoleArn
	comprehend:StartTopicsDetectionJob	DataAccessRoleArn
	config:PutConfigurationAggregator	OrganizationAggregationSource.RoleArn
	config:PutConfigurationRecorder	ConfigurationRecorder.roleARN
	datapipeline:PutPipelineDefinition	pipelineObjects.fields*
	datapipeline:ValidatePipelineDefinition	pipelineObjects.fields*
	datasync:CreateLocationS3	S3Config.BucketAccessRoleArn
	dax:CreateCluster	IamRoleArn
	dlm:CreateLifecyclePolicy	ExecutionRoleArn
	dlm:UpdateLifecyclePolicy	ExecutionRoleArn
	dms:CreateEndpoint	ServiceAccessRoleArn\|DynamoDbSettings.ServiceAccessRoleArn\|S3Settings.ServiceAccessRoleArn\|DmsTransferSettings.ServiceAccessRoleArn\|KinesisSettings.ServiceAccessRoleArn\|ElasticsearchSettings.ServiceAccessRoleArn\|NeptuneSettings.ServiceAccessRoleArn\|NeptuneSettings.IamAuthEnabled\|RedshiftSettings.ServiceAccessRoleArn
	dms:ModifyEndpoint	ServiceAccessRoleArn\|DynamoDbSettings.ServiceAccessRoleArn\|S3Settings.ServiceAccessRoleArn\|DmsTransferSettings.ServiceAccessRoleArn\|KinesisSettings.ServiceAccessRoleArn\|ElasticsearchSettings.ServiceAccessRoleArn\|NeptuneSettings.ServiceAccessRoleArn\|NeptuneSettings.IamAuthEnabled\|RedshiftSettings.ServiceAccessRoleArn
	dynamodb:UpdateGlobalTableSettings	GlobalTableProvisionedWriteCapacityAutoScalingSettingsUpdate.AutoScalingRoleArn
	dynamodb:UpdateTableReplicaAutoScaling	ProvisionedWriteCapacityAutoScalingUpdate.AutoScalingRoleArn
	ec2:AssociateIamInstanceProfile	IamInstanceProfile.Arn\|IamInstanceProfile.Name
	ec2:CreateFleet	LaunchTemplateConfigs
	ec2:CreateFlowLogs	DeliverLogsPermissionArn
	ec2:ModifyFleet	LaunchTemplateConfigs
	ec2:ModifySpotFleetRequest	LaunchTemplateConfigs
	ec2:ReplaceIamInstanceProfileAssociation	IamInstanceProfile.Arn\|IamInstanceProfile.Name
	ec2:RequestSpotFleet	SpotFleetRequestConfig.IamFleetRole\|SpotFleetRequestConfig.LaunchTemplateConfigs
	ec2:RequestSpotInstances	LaunchSpecification.IamInstanceProfile.Arn\|LaunchSpecification.IamInstanceProfile.Name
	ec2:RunInstances	IamInstanceProfile.Arn\|IamInstanceProfile.Name\|LaunchTemplate.LaunchTemplateId\|LaunchTemplate.LaunchTemplateName\|LaunchTemplate.Version
	ec2:RunScheduledInstances	LaunchSpecification.IamInstanceProfile.Arn\|LaunchSpecification.IamInstanceProfile.Name
	ecs:CreateService	taskDefinition\|role
	ecs:CreateTaskSet	taskDefinition
	ecs:RegisterTaskDefinition	taskRoleArn\|executionRoleArn
	ecs:RunTask	overrides.executionRoleArn\|overrides.taskRoleArn\|taskDefinition
	ecs:StartTask	overrides.executionRoleArn\|overrides.taskRoleArn\|taskDefinition
	eks:CreateCluster	roleArn
	eks:CreateFargateProfile	podExecutionRoleArn
	eks:CreateNodegroup	nodeRole\|launchTemplate.name\|launchTemplate.version\|launchTemplate.id
	elasticbeanstalk:AssociateEnvironmentOperationsRole	OperationsRole
	elasticbeanstalk:CreateApplication	ResourceLifecycleConfig.ServiceRole
	elasticbeanstalk:CreateApplicationVersion	BuildConfiguration.CodeBuildServiceRole
	elasticbeanstalk:CreateEnvironment	TemplateName\|OperationsRole
	elasticbeanstalk:UpdateApplicationResourceLifecycle	ResourceLifecycleConfig.ServiceRole
	elasticbeanstalk:UpdateConfigurationTemplate	TemplateName
	elasticbeanstalk:UpdateEnvironment	TemplateName
	elasticmapreduce:RunJobFlow	JobFlowRole\|ServiceRole\|AutoScalingRole
	elastictranscoder:CreatePipeline	Role
	elastictranscoder:TestRole	Role
	elastictranscoder:UpdatePipeline	Role
	es:CreateElasticsearchDomain	CognitoOptions.RoleArn\|AdvancedSecurityOptions.SAMLOptions.MasterBackendRole\|AdvancedSecurityOptions.SAMLOptions.RolesKey
	es:UpdateElasticsearchDomainConfig	CognitoOptions.RoleArn\|AdvancedSecurityOptions.SAMLOptions.MasterBackendRole\|AdvancedSecurityOptions.SAMLOptions.RolesKey
	events:PutRule	RoleArn
	firehose:CreateDeliveryStream	KinesisStreamSourceConfiguration.RoleARN\|S3DestinationConfiguration.RoleARN\|ExtendedS3DestinationConfiguration.RoleARN\|ExtendedS3DestinationConfiguration.S3BackupConfiguration.RoleARN\|ExtendedS3DestinationConfiguration.DataFormatConversionConfiguration.SchemaConfiguration.RoleARN\|RedshiftDestinationConfiguration.RoleARN\|RedshiftDestinationConfiguration.S3Configuration.RoleARN\|RedshiftDestinationConfiguration.S3BackupConfiguration.RoleARN\|ElasticsearchDestinationConfiguration.RoleARN\|ElasticsearchDestinationConfiguration.S3Configuration.RoleARN\|ElasticsearchDestinationConfiguration.VpcConfiguration.RoleARN\|SplunkDestinationConfiguration.S3Configuration.RoleARN
	firehose:UpdateDestination	S3DestinationUpdate.RoleARN\|ExtendedS3DestinationUpdate.RoleARN\|ExtendedS3DestinationUpdate.S3BackupUpdate.RoleARN\|ExtendedS3DestinationUpdate.DataFormatConversionConfiguration.SchemaConfiguration.RoleARN\|RedshiftDestinationUpdate.RoleARN\|RedshiftDestinationUpdate.S3Update.RoleARN\|RedshiftDestinationUpdate.S3BackupUpdate.RoleARN\|ElasticsearchDestinationUpdate.RoleARN\|ElasticsearchDestinationUpdate.S3Update.RoleARN\|SplunkDestinationUpdate.S3Update.RoleARN\|HttpEndpointDestinationUpdate.RoleARN\|HttpEndpointDestinationUpdate.S3Update.RoleARN
	fms:PutNotificationChannel	SnsRoleName
	forecast:CreateDataset	EncryptionConfig.RoleArn
	forecast:CreateDatasetImportJob	DataSource.S3Config.RoleArn
	forecast:CreateForecastExportJob	Destination.S3Config.RoleArn
	forecast:CreatePredictor	EncryptionConfig.RoleArn
	frauddetector:CreateModelVersion	externalEventsDetail.dataAccessRoleArn
	frauddetector:PutExternalModel	invokeModelEndpointRoleArn
	frauddetector:UpdateModelVersion	externalEventsDetail.dataAccessRoleArn
	gamelift:CreateBuild	StorageLocation.RoleArn
	gamelift:CreateFleet	InstanceRoleArn
	gamelift:CreateGameServerGroup	RoleArn\|LaunchTemplate.LaunchTemplateId\|LaunchTemplate.LaunchTemplateName\|LaunchTemplate.Version
	gamelift:CreateScript	StorageLocation.RoleArn
	gamelift:UpdateGameServerGroup	RoleArn
	gamelift:UpdateScript	StorageLocation.RoleArn
	glue:CreateCrawler	Role
	glue:CreateDevEndpoint	RoleArn
	glue:CreateJob	Role
	glue:CreateMLTransform	Role
	glue:UpdateCrawler	Role
	glue:UpdateJob	JobUpdate.Role
	glue:UpdateMLTransform	Role
	greengrass:AssociateRoleToGroup	RoleArn
	greengrass:AssociateServiceRoleToAccount	RoleArn
	greengrass:CreateSoftwareUpdateJob	S3UrlSignerRole
	greengrass:StartBulkDeployment	ExecutionRoleArn
	iam:AddRoleToInstanceProfile	InstanceProfileName\|RoleName
	imagebuilder:CreateInfrastructureConfiguration	instanceProfileName
	imagebuilder:UpdateInfrastructureConfiguration	instanceProfileName
	inspector:RegisterCrossAccountAccessRole	roleArn
	iot:CreateAuditSuppression	resourceIdentifier.iamRoleArn\|resourceIdentifier.roleAliasArn
	iot:CreateJob	presignedUrlConfig.roleArn
	iot:CreateMitigationAction	roleArn\|actionParams.enableIoTLoggingParams.roleArnForLogging
	iot:CreateOTAUpdate	roleArn
	iot:CreateRoleAlias	roleAlias\|roleArn
	iot:CreateStream	roleArn
	iot:CreateTopicRule	topicRulePayload.errorAction.dynamoDB.roleArn\|topicRulePayload.errorAction.dynamoDBv2.roleArn\|topicRulePayload.errorAction.sns.roleArn\|topicRulePayload.errorAction.sqs.roleArn\|topicRulePayload.errorAction.kinesis.roleArn\|topicRulePayload.errorAction.republish.roleArn\|topicRulePayload.errorAction.s3.roleArn\|topicRulePayload.errorAction.firehose.roleArn\|topicRulePayload.errorAction.cloudwatchMetric.roleArn\|topicRulePayload.errorAction.cloudwatchAlarm.roleArn\|topicRulePayload.errorAction.cloudwatchLogs.roleArn\|topicRulePayload.errorAction.elasticsearch.roleArn
	iot:RegisterCACertificate	registrationConfig.roleArn
	iot:ReplaceTopicRule	topicRulePayload.errorAction.dynamoDB.roleArn\|topicRulePayload.errorAction.dynamoDBv2.roleArn\|topicRulePayload.errorAction.sns.roleArn\|topicRulePayload.errorAction.sqs.roleArn\|topicRulePayload.errorAction.kinesis.roleArn\|topicRulePayload.errorAction.republish.roleArn\|topicRulePayload.errorAction.s3.roleArn\|topicRulePayload.errorAction.firehose.roleArn\|topicRulePayload.errorAction.cloudwatchMetric.roleArn\|topicRulePayload.errorAction.cloudwatchAlarm.roleArn\|topicRulePayload.errorAction.cloudwatchLogs.roleArn\|topicRulePayload.errorAction.elasticsearch.roleArn
	iot:SetLoggingOptions	loggingOptionsPayload.roleArn
	iot:SetV2LoggingOptions	roleArn
	iot:StartThingRegistrationTask	roleArn
	iot:UpdateAccountAuditConfiguration	roleArn
	iot:UpdateAuditSuppression	resourceIdentifier.iamRoleArn\|resourceIdentifier.roleAliasArn
	iot:UpdateCACertificate	registrationConfig.roleArn
	iot:UpdateJob	presignedUrlConfig.roleArn
	iot:UpdateMitigationAction	roleArn\|actionParams.enableIoTLoggingParams.roleArnForLogging
	iot:UpdateProvisioningTemplate	provisioningRoleArn
	iot:UpdateRoleAlias	roleAlias\|roleArn
	iot:UpdateStream	roleArn
	iotanalytics:CreateChannel	channelStorage.customerManagedS3.roleArn
	iotanalytics:CreateDatastore	datastoreStorage.customerManagedS3.roleArn
	iotanalytics:PutLoggingOptions	loggingOptions.roleArn
	iotanalytics:RunPipelineActivity	pipelineActivity.deviceRegistryEnrich.roleArn\|pipelineActivity.deviceShadowEnrich.roleArn
	iotanalytics:UpdateChannel	channelStorage.customerManagedS3.roleArn
	iotanalytics:UpdateDatastore	datastoreStorage.customerManagedS3.roleArn
	iotevents:CreateDetectorModel	roleArn
	iotevents:PutLoggingOptions	loggingOptions.roleArn
	iotevents:UpdateDetectorModel	roleArn
	iotsitewise:CreateAccessPolicy	accessPolicyIdentity.iamUser.arn
	iotsitewise:CreatePortal	roleArn
	iotsitewise:UpdateAccessPolicy	accessPolicyIdentity.iamUser.arn
	iotsitewise:UpdatePortal	roleArn
	iotthingsgraph:CreateSystemInstance	metricsConfiguration.metricRuleRoleArn\|flowActionsRoleArn
	kendra:BatchPutDocument	RoleArn
	kendra:CreateDataSource	RoleArn
	kendra:CreateFaq	RoleArn
	kendra:CreateIndex	RoleArn
	kendra:UpdateDataSource	RoleArn
	kendra:UpdateIndex	RoleArn
	kinesisanalytics:AddApplicationCloudWatchLoggingOption	CloudWatchLoggingOption.RoleARN
	kinesisanalytics:AddApplicationInput	Input.InputProcessingConfiguration.InputLambdaProcessor.RoleARN\|Input.KinesisStreamsInput.RoleARN\|Input.KinesisFirehoseInput.RoleARN
	kinesisanalytics:AddApplicationInputProcessingConfiguration	InputProcessingConfiguration.InputLambdaProcessor.RoleARN
	kinesisanalytics:AddApplicationOutput	Output.KinesisStreamsOutput.RoleARN\|Output.KinesisFirehoseOutput.RoleARN\|Output.LambdaOutput.RoleARN
	kinesisanalytics:AddApplicationReferenceDataSource	ReferenceDataSource.S3ReferenceDataSource.ReferenceRoleARN
	kinesisanalytics:DiscoverInputSchema	RoleARN\|S3Configuration.RoleARN\|InputProcessingConfiguration.InputLambdaProcessor.RoleARN
	lakeformation:RegisterResource	UseServiceLinkedRole\|RoleArn
	lakeformation:UpdateResource	RoleArn
	lambda:CreateFunction	Role
	lambda:UpdateFunctionConfiguration	Role
	lex:PutBotAlias	conversationLogs.iamRoleArn
	lex:PutIntent	kendraConfiguration.role
	logs:PutDestination	roleArn
	logs:PutSubscriptionFilter	roleArn
	machinelearning:CreateDataSourceFromRDS	RDSData.ResourceRole\|RDSData.ServiceRole\|RoleARN
	machinelearning:CreateDataSourceFromRedshift	RoleARN
	mediaconnect:CreateFlow	Source.Decryption.RoleArn
	mediaconnect:UpdateFlowEntitlement	Encryption.RoleArn
	mediaconnect:UpdateFlowOutput	Encryption.RoleArn
	mediaconnect:UpdateFlowSource	Decryption.RoleArn
	mediaconvert:CreateJob	Role
	medialive:CreateChannel	RoleArn
	medialive:CreateInput	RoleArn
	medialive:UpdateChannel	RoleArn
	medialive:UpdateInput	RoleArn
	mediapackage-vod:CreateAsset	SourceRoleArn
	mediapackage-vod:CreatePackagingConfiguration	CmafPackage.Encryption.SpekeKeyProvider.RoleArn\|DashPackage.Encryption.SpekeKeyProvider.RoleArn\|HlsPackage.Encryption.SpekeKeyProvider.RoleArn\|MssPackage.Encryption.SpekeKeyProvider.RoleArn
	mediapackage-vod:CreatePackagingGroup	Authorization.SecretsRoleArn
	mediapackage:CreateOriginEndpoint	Authorization.SecretsRoleArn\|CmafPackage.Encryption.SpekeKeyProvider.RoleArn\|DashPackage.Encryption.SpekeKeyProvider.RoleArn\|HlsPackage.Encryption.SpekeKeyProvider.RoleArn\|MssPackage.Encryption.SpekeKeyProvider.RoleArn
	mediapackage:UpdateOriginEndpoint	Authorization.SecretsRoleArn\|CmafPackage.Encryption.SpekeKeyProvider.RoleArn\|DashPackage.Encryption.SpekeKeyProvider.RoleArn\|HlsPackage.Encryption.SpekeKeyProvider.RoleArn\|MssPackage.Encryption.SpekeKeyProvider.RoleArn
	mobiletargeting:CreateExportJob	ExportJobRequest.RoleArn
	mobiletargeting:CreateImportJob	ImportJobRequest.RoleArn
	mobiletargeting:CreateRecommenderConfiguration	CreateRecommenderConfiguration.RecommendationProviderRoleArn
	mobiletargeting:PutEventStream	WriteEventStream.RoleArn
	mobiletargeting:UpdateEmailChannel	EmailChannelRequest.RoleArn
	mobiletargeting:UpdateRecommenderConfiguration	UpdateRecommenderConfiguration.RecommendationProviderRoleArn
	mq:CreateBroker	LdapServerMetadata.RoleBase\|LdapServerMetadata.RoleName\|LdapServerMetadata.RoleSearchMatching\|LdapServerMetadata.RoleSearchSubtree\|LdapServerMetadata.UserRoleName
	mq:UpdateBroker	LdapServerMetadata.RoleBase\|LdapServerMetadata.RoleName\|LdapServerMetadata.RoleSearchMatching\|LdapServerMetadata.RoleSearchSubtree\|LdapServerMetadata.UserRoleName
	opsworks-cm:CreateServer	InstanceProfileArn\|ServiceRoleArn
	opsworks:CloneStack	ServiceRoleArn\|DefaultInstanceProfileArn
	opsworks:CreateLayer	CustomInstanceProfileArn
	opsworks:CreateStack	ServiceRoleArn\|DefaultInstanceProfileArn
	opsworks:CreateUserProfile	IamUserArn
	opsworks:DeleteUserProfile	IamUserArn
	opsworks:UpdateLayer	CustomInstanceProfileArn
	opsworks:UpdateStack	ServiceRoleArn\|DefaultInstanceProfileArn
	organizations:CreateAccount	RoleName\|IamUserAccessToBilling
	organizations:CreateGovCloudAccount	RoleName\|IamUserAccessToBilling
	personalize:CreateBatchInferenceJob	roleArn
	personalize:CreateDatasetGroup	roleArn
	personalize:CreateDatasetImportJob	roleArn
	qldb:ExportJournalToS3	RoleArn
	qldb:StreamJournalToKinesis	RoleArn
	rds:AddRoleToDBCluster	RoleArn
	rds:AddRoleToDBInstance	RoleArn
	rds:CreateDBCluster	EnableIAMDatabaseAuthentication\|DomainIAMRoleName
	rds:CreateDBInstance	MonitoringRoleArn\|DomainIAMRoleName\|EnableIAMDatabaseAuthentication
	rds:CreateDBInstanceReadReplica	MonitoringRoleArn\|EnableIAMDatabaseAuthentication\|DomainIAMRoleName
	rds:CreateDBProxy	RoleArn
	rds:ModifyDBCluster	EnableIAMDatabaseAuthentication\|DomainIAMRoleName
	rds:ModifyDBInstance	MonitoringRoleArn\|DomainIAMRoleName\|EnableIAMDatabaseAuthentication
	rds:ModifyDBProxy	RoleArn
	rds:ModifyOptionGroup	OptionsToInclude*
	rds:RemoveRoleFromDBCluster	RoleArn
	rds:RemoveRoleFromDBInstance	RoleArn
	rds:RestoreDBClusterFromS3	EnableIAMDatabaseAuthentication\|S3IngestionRoleArn\|DomainIAMRoleName
	rds:RestoreDBClusterFromSnapshot	EnableIAMDatabaseAuthentication\|DomainIAMRoleName
	rds:RestoreDBClusterToPointInTime	EnableIAMDatabaseAuthentication\|DomainIAMRoleName
	rds:RestoreDBInstanceFromDBSnapshot	DomainIAMRoleName\|EnableIAMDatabaseAuthentication
	rds:RestoreDBInstanceFromS3	MonitoringRoleArn\|EnableIAMDatabaseAuthentication\|S3IngestionRoleArn
	rds:RestoreDBInstanceToPointInTime	DomainIAMRoleName\|EnableIAMDatabaseAuthentication
	rds:StartExportTask	IamRoleArn
	redshift:CreateCluster	IamRoles
	redshift:CreateScheduledAction	IamRole
	redshift:ModifyClusterIamRoles	AddIamRoles\|RemoveIamRoles
	redshift:ModifyScheduledAction	IamRole
	redshift:RestoreFromClusterSnapshot	IamRoles
	rekognition:CreateStreamProcessor	RoleArn
	rekognition:StartCelebrityRecognition	NotificationChannel.RoleArn
	rekognition:StartContentModeration	NotificationChannel.RoleArn
	rekognition:StartFaceDetection	NotificationChannel.RoleArn
	rekognition:StartFaceSearch	NotificationChannel.RoleArn
	rekognition:StartLabelDetection	NotificationChannel.RoleArn
	rekognition:StartPersonTracking	NotificationChannel.RoleArn
	rekognition:StartSegmentDetection	NotificationChannel.RoleArn
	rekognition:StartTextDetection	NotificationChannel.RoleArn
	robomaker:CreateSimulationJob	iamRole
	robomaker:CreateWorldExportJob	iamRole
	s3-control:CreateJob	CreateJobRequest.RoleArn
	s3:PutBucketNotification	NotificationConfiguration.CloudFunctionConfiguration.InvocationRole
	s3:PutBucketReplication	Role
	sagemaker:CreateAlgorithm	ValidationSpecification.ValidationRole
	sagemaker:CreateAutoMLJob	RoleArn
	sagemaker:CreateCompilationJob	RoleArn
	sagemaker:CreateDomain	DefaultUserSettings.ExecutionRole
	sagemaker:CreateFlowDefinition	RoleArn
	sagemaker:CreateHyperParameterTuningJob	TrainingJobDefinition.RoleArn
	sagemaker:CreateLabelingJob	RoleArn
	sagemaker:CreateModel	ExecutionRoleArn
	sagemaker:CreateModelPackage	ValidationSpecification.ValidationRole
	sagemaker:CreateMonitoringSchedule	MonitoringScheduleConfig.MonitoringJobDefinition.RoleArn
	sagemaker:CreateNotebookInstance	RoleArn
	sagemaker:CreateProcessingJob	RoleArn
	sagemaker:CreateTrainingJob	RoleArn
	sagemaker:CreateUserProfile	UserSettings.ExecutionRole
	sagemaker:RenderUiTemplate	RoleArn
	sagemaker:UpdateDomain	DefaultUserSettings.ExecutionRole
	sagemaker:UpdateMonitoringSchedule	MonitoringScheduleConfig.MonitoringJobDefinition.RoleArn
	sagemaker:UpdateNotebookInstance	RoleArn
	sagemaker:UpdateUserProfile	UserSettings.ExecutionRole
	securityhub:CreateInsight	Filters.ResourceAwsEc2InstanceIamInstanceProfileArn\|Filters.ResourceAwsIamAccessKeyUserName\|Filters.ResourceAwsIamAccessKeyStatus\|Filters.ResourceAwsIamAccessKeyCreatedAt
	securityhub:UpdateFindings	Filters.ResourceAwsEc2InstanceIamInstanceProfileArn\|Filters.ResourceAwsIamAccessKeyUserName\|Filters.ResourceAwsIamAccessKeyStatus\|Filters.ResourceAwsIamAccessKeyCreatedAt
	securityhub:UpdateInsight	Filters.ResourceAwsEc2InstanceIamInstanceProfileArn\|Filters.ResourceAwsIamAccessKeyUserName\|Filters.ResourceAwsIamAccessKeyStatus\|Filters.ResourceAwsIamAccessKeyCreatedAt
	ses:CreateConfigurationSetEventDestination	EventDestination.KinesisFirehoseDestination.IAMRoleARN
	ses:UpdateConfigurationSetEventDestination	EventDestination.KinesisFirehoseDestination.IAMRoleARN
	shield:AssociateDRTRole	RoleArn
	sms-voice:CreateConfigurationSetEventDestination	EventDestination.CloudWatchLogsDestination.IamRoleArn\|EventDestination.KinesisFirehoseDestination.IamRoleArn
	sms-voice:UpdateConfigurationSetEventDestination	EventDestination.CloudWatchLogsDestination.IamRoleArn\|EventDestination.KinesisFirehoseDestination.IamRoleArn
	sms:CreateApp	roleName
	sms:CreateReplicationJob	roleName
	sms:ImportAppCatalog	roleName
	sms:PutAppLaunchConfiguration	roleName\|serverGroupLaunchConfigurations
	sms:UpdateApp	roleName
	sms:UpdateReplicationJob	roleName
	snowball:CreateCluster	RoleARN
	snowball:CreateJob	RoleARN
	snowball:UpdateCluster	RoleARN
	snowball:UpdateJob	RoleARN
	ssm:CreateActivation	IamRole
	ssm:CreateDocument	[Special case: consult the docs]*
	ssm:RegisterTaskWithMaintenanceWindow	ServiceRoleArn\|TaskInvocationParameters.RunCommand.ServiceRoleArn
	ssm:SendCommand	ServiceRoleArn
	ssm:UpdateMaintenanceWindowTask	ServiceRoleArn\|TaskInvocationParameters.RunCommand.ServiceRoleArn
	ssm:UpdateManagedInstanceRole	IamRole
	states:CreateStateMachine	roleArn
	states:UpdateStateMachine	roleArn
	storagegateway:CreateNFSFileShare	Role
	storagegateway:CreateSMBFileShare	Role
	swf:RegisterWorkflowType	defaultLambdaRole
	swf:StartWorkflowExecution	lambdaRole
	synthetics:CreateCanary	ExecutionRoleArn
	synthetics:UpdateCanary	ExecutionRoleArn
	transfer:CreateServer	IdentityProviderDetails.InvocationRole\|LoggingRole
	transfer:CreateUser	Role
	transfer:UpdateServer	LoggingRole\|IdentityProviderDetails.InvocationRole
	transfer:UpdateUser	Role
	translate:StartTextTranslationJob	DataAccessRoleArn
	workmail:StartMailboxExportJob	RoleArn

Author

noamsdahan commented Mar 7, 2021 •

edited

Loading

Details on research: https://ermetic.com/whats-new/blog/auditing-passrole-a-problematic-privilege-escalation-permission/

tvb commented Jan 31, 2022

@noamsdahan where is vpc-flow-logs in this list?

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-iam-user

Author

noamsdahan commented Jan 31, 2022

line 83 (as of posting), ec2:CreateFlowLogs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment