Prisma Cloud: Why AWS has a warning while updating permissions for "iam:CreateServiceLinkedRole"

 Why AWS shows a warning while updating permissions for "iam:CreateServiceLinkedRole"?

Full Warning message: 

"using the iam.createservicelinkedrole action with wildcards (*) on the resource may allow the creation of unwanted service linked roles. We recommend that you specify resource ARNs instead."

GUI Path: AWS --> IAM --> Policies --> Edit Policy

• Prisma Cloud
• AWS

The Warning message is due to the iam:CreateServiceLinkedRole permission allows a user or role to create a service-linked role, which is a type of IAM role that is created and used by AWS services to integrate with other AWS services. While this permission is not inherently risky, it does give the user or role the ability to create roles that can be used to grant permissions to AWS services. If the service-linked role is misconfigured, it could potentially lead to unintended access or other security risks.

However, AWS services that use service-linked roles typically provide documentation on the permissions required by those roles, so it's important to ensure that the roles are created with the appropriate permissions for the specific service and use case. As with any permission in IAM, granting iam:CreateServiceLinkedRole should be done carefully and only to trusted users or roles that require it for legitimate business purposes. Additionally, it's recommended to follow the principle of least privilege, granting only the minimum permissions necessary to perform the required actions.