Back to feed
Dev.to
Dev.to
5/11/2026
The iam: PassRole Nightmare - 3 Weeks of My Life I Will Never Get Back

The iam: PassRole Nightmare - 3 Weeks of My Life I Will Never Get Back

Short summary

An enterprise Bedrock Agent deployment failed due to an explicit deny on iam:PassRole in the organization's managed IAM policy. The solution was deploying via CloudFormation (which uses a service role with proper permissions) instead of the CLI, after a security review and 5-day change request. Enterprise IAM requires understanding the full policy evaluation chain: SCPs, permission boundaries, managed policies, and resource policies.

  • Explicit IAM denies cannot be overridden—even AdminAccess loses to explicit deny
  • CloudFormation uses a service role, bypassing user-level IAM denies for resource creation
  • Enterprise deployment requires architecture review upfront, not trial-and-error permission escalation

Generated with AI, which can make mistakes.

#ai-agents#ai-tools
Read full article at Dev.to

Is this a good recommendation for you?

Explore more

Least-Privilege CI/CD on AWS: The 4-Layer Pattern That Scales to 200 Pipelines
Dev.to
I Was That Developer
Dev.to
Closed-Loop IAM Remediation: Auto-Fixing Security Misconfigurations Without a Human in the Loop
Dev.to
Your CI/CD Pipelines Are Your Largest Unmonitored Attack Surface
Dev.to