aws-iam-policy-lax-full-admin¶
Ensure IAM policies that allow full "*-*"
administrative privileges are not created
You should always follow the least principle of least privilege when designing policies. Using wildcards too liberally leads to increased risks as the users, groups or roles on which this policy would be applies would almost certainly be granted the ability to use actions that they do not need. This could lead to a greater impact in case of a compromise of such an account.
Examples¶
Insecure Example
data "aws_iam_policy_document" "source" {
statement {
actions = ["ec2:*"]
resources = ["*"]
}
data "aws_iam_policy_document" "source_two" {
statement {
sid = "UniqueSid"
}
actions = ["iam:*"]
resources = ["*"]
}
Secure Example
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
actions = [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
]
resources = [
"arn:aws:s3:::*",
]
}
}