Why the action "iam:PassRole" itself is considered an issue?

[alexzon]

Considering the control Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation, why the action iam:PassRole by itself is considered an issue?

File reference (line 20)

The following lines (21+) list actions that, in combination with iam:PassRole, are a risk.
I've done some research and couldn't find anything supporting that the action alone is a risk.
Does this check consider conditions? Is it there as a best practice the limit the PassRole action?

Thanks in advance for any insights on this.

[jfagoagas]

Hi @alexzon, it is considered an issue because it can be combined with some other actions not present in the policies combination list below. I think this action by itself won't be harmful.