Exam AWS-SysOps topic 1 question 565 discussion

I would go with A. the policy basically allowing the user to Pass the role "role/InfraTeam*" to the EC2 that they are creating! So, the EC2 are able to perform any actions that the role "role/infraTeam*" can do (which is passed to it by the user)! Therefore, the user are able THROUGH the EC2 that he/she create so switch his role, from being "EC2:*" -full access -, to be roles written into "role/InfraTeam*" policy, and that could be launching DynamoDB, Lambda....etc. https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

Ans is A

iam:PassRole: This privilege is required to pass an IAM role to another AWS service. Without this privilege, you won't be able to use the "aws iam passrole" command.

B. Users with the role of InfraTeamLinux are able to launch an EC2 instance and attach that role to it. Seemcorrect as InfraTeam* are able to launch the EC2 instance

Should be A: By giving a role or user the iam:PassRole permission, you are is saying "this entity (principal) is allowed to assign AWS roles to resources and services in this account".

This is good explanation https://blog.rowanudell.com/iam-passrole-explained/ A seems correct

It's B. A is talking about AssumeRole not PassRole. C and D are quite invalid. https://www.reddit.com/r/aws/comments/jyf4c4/difference_between_iam_passrole_vs_assumerole/

B. Users with the role of InfraTeamLinux are able to launch an EC2 instance and attach that role to it. Seemcorrect as InfraTeam* are able to launch the EC2 instance

A is correct...

not sure about B InfraTeamLinux?

B roles can be passed not switched.

B. Users with the role of InfraTeamLinux are able to launch an EC2 instance and attach that role to it.

I take C back, it is B !! https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html ..Thanks Wsh!

C is the ans, user has PassRole on Infrateam as well as his Ec2 full right!

I would choose B, https://aws.amazon.com/blogs/security/granting-permission-to-launch-ec2-instances-with-iam-roles-passrole-permission/

Why not B? https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

I concur moon comments. For additional info: PassRole is not an API action in the same way that RunInstances or ListInstanceProfiles is. Instead, it's a permission that AWS checks whenever a role ARN is passed as a parameter to an API (or the console does this on the user's behalf). It helps an administrator to control which roles can be passed by which users. In this case, it ensures that the user is allowed to attach a specific role to an Amazon EC2 instance.