{"id":"iam-cross-account-passrole-requires-dual-controls","text":"Cross-account PassRole scenarios require both explicit deny policies for broad permissions and specific role ARN allow-lists — neither control alone is sufficient.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"iam-cross-account-passrole-requires-dual-controls","truth_value":"IN","reason":"premise"}]}}