Policy JSON generates PassRole With Star in Resource warning

[blcooley]

For the policy JSON given under the Sagemaker instructions in the setup, the AWS console generates the an error with respect to the following section from lines 24-36:

        {
            "Sid": "IAM1",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PassRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:CreatePolicy"
            ],
            "Resource": "*"
        },

The error reads: PassRole With Star In Resource: Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.

I found this to be confusing, even though I ignored the warning and continued. Is it necessary to specify a wildcard for resource in this section? If so, does adding the iam:PassedToService condition key solve the problem? To be honest, I'm not sure what that means or how to do it right now.

[svpino]

Hey @blcooley, yeah, this policy is over-permissive, but I ignore the warning because it's just for the cohort.

I have a note on my list to check this and improve it. I'll have to research to ensure I can tie down the policy. Thanks for reporting it!