Ref: https://learn.cantrill.io/courses/1820301/lectures/41301369

• Summary
• Contents:

Service-Linked Role

• 🔧 IAM role linked to a specific AWS service
  • Provides set of permissions predefined by a service (permissions the service needs to interact with other AWS services on your behalf)
• The linked service determines how to create, modify, and delete its linked role → It's always one of these 3 processes:
  1. AWS service configures the role by itself
  2. You configure the role with a setup wizard (configuration process)
  3. AWS service requires you to configure the role with IAM
• ‼️ You can NOT delete the service-linked role while the service needs it!!
  • Service-linked role can ONLY be deleted when it's no longer required by the service
  • 💡 Key difference with normal IAM roles
• Additional reading: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
• Example of an IAM policy referencing the iam:CreateServiceLinkedRole action

PassRole Architecture

• 🔧 An identity that is allowed to perform the iam:PassRole action can assign a pre-existing service-linked role to an AWS resource
  • ‼️ Role Separation!!
    • Works even if that identity doesn't have the permissions of the service-linked role
    • Works even if that identity does not have permissions to create, edit, or delete the service-linked role

• Example: Bob doesn't have permissions to create EC2 instances, but he is allowed to perform iam:PassRole with CloudFormation
  • Bob can execute a CFN template stack that creates EC2 instances
  • Bob can NOT create EC2 instances himself
  • By default, Bob can NOT modify or delete the pre-existing service-linked role, and he also can NOT create new ones