Why does AWS IAM suggest PassRole permissions for services not explicitly used?

When AWS IAM suggests including iam:PassRole permissions, even for services you're not directly using, it's related to how AWS services interact with each other.

Many AWS services require you to pass an IAM role to them during setup, which allows the service to assume that role and perform actions on your behalf. The iam:PassRole permission is not an API call itself but a permission that allows a user to pass a role to a service.

This recommendation often appears because:

1. Service dependencies: Some services you are using might internally call other AWS services that require roles to be passed to them.

2. Future-proofing: AWS might be anticipating your potential use of additional features or services that would require role-passing capabilities.

3. Least privilege concerns: AWS generally recommends being specific with iam:PassRole permissions. Using overly broad permissions (like with NotResource) can be a security risk, which is why AWS recommends specifying exact resource ARNs and using the iam:PassedToService condition key to restrict which services can receive roles.

If you're seeing these recommendations for services you don't use, you can safely limit the iam:PassRole permissions to only the specific roles and services you need. This follows the principle of least privilege and is considered a security best practice.
Sources
Grant a user permissions to pass a role to an AWS service - AWS Identity and Access Management
IAM policy validation check reference - AWS Identity and Access Management
Supplement managed policy for PowerUserAccess that also allows role assumptions | AWS re:Post