Policy JSON generates PassRole With Star in Resource warning

[blcooley]

For the policy JSON given under the Sagemaker instructions in the setup, the AWS console generates the an error with respect to the following section from lines 24-36:

		{
			"Sid": "IAM1",
			"Effect": "Allow",
			"Action": [
				"iam:CreateRole",
				"iam:DeleteRole",
				"iam:PassRole",
				"iam:AttachRolePolicy",
				"iam:DetachRolePolicy",
				"iam:CreatePolicy"
			],
			"Resource": "*"
		},

The error reads:
PassRole With Star In Resource: Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.

I found this to be confusing, even though I ignored the warning and continued. Is it necessary to specify a wildcard for resource in this section? If so, does adding the iam:PassedToService condition key solve the problem? To be honest, I'm not sure what that means or how to do it right now.

[svpino]

Hey @blcooley, yeah, this policy is over-permissive, but I ignore the warning because it's just for the cohort.

I have a note on my list to check this and improve it. I'll have to research to ensure I can tie down the policy. Thanks for reporting it!