An IAM Role is an identity with permission policies that determine what the identity can do in AWS. A role does not have any credentials (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. The role {AwsIamRole} was found with permissive permissions that allows the user the ability to pass a role to a service. By passing a role to a service, a user may grant that service the ability to interact with the AWS API with the permissions of that role. By allowing a user to pass any role, an attacker may pass a role with administrative privileges to a service they control, such as an EC2 Instance or Lambda Function, and act through this service with escalated permissions.
Recommended Mitigation
Review the role's policy and consider removing one of the following groups of actions: iam:PassRole, (lambda:CreateFunction, lambda:InvokeFunction), (lambda:InvokeFunction, lambda:CreateEventSourceMapping), (glue:CreateDevEndpoint, glue:GetDevEndpoint/s), (cloudformation:CreateStack, cloudformation:DescribeStacks), (datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline)
Lateral movement
