aws-iam-wildcard-actions

Ensure no IAM policies documents allow "*" as a statement's actions

You should always follow the least principle of least privilege when designing policies. Using wildcards too liberally leads to increased risks as the users, groups or roles on which this policy would be applies would almost certainly be granted the ability to use actions that they do not need. This could lead to a greater impact in case of a compromise of such an account.

Examples

Insecure Example

Terraform

data "aws_iam_policy_document" "policy_one" {
  statement {
    sid    = "OverridePlaceHolderOne"
    effect = "Allow"

    actions   = ["s3:*"]
    resources = ["*"]
  }
}

CloudFormation

{
  "Type" : "AWS::IAM::Policy",
  "Properties" : {
      "PolicyDocument" : {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:*"
                ],
                "Resource": "*"
            }
        ]
      },
      "PolicyName" : "policy_one",
    }
}

Secure Example

Terraform

data "aws_iam_policy_document" "policy_one" {
  statement {
    sid    = "OverridePlaceHolderOne"
    effect = "Allow"

    actions   = ["s3:GetObject"]
    resources = ["*"]
    principals {
        type        = "AWS"
        identifiers = [var.trusted_role_arn]
    }
  }
}

CloudFormation

{
  "Type" : "AWS::IAM::Policy",
  "Properties" : {
      "PolicyDocument" : {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject""
                ],
                "Resource": "*",
                "Principal": { "AWS": "arn:aws:iam::123456789012:root" }
            }
        ]
      },
      "PolicyName" : "policy_one",
    }
}

More information

• AWS Docs
• Terraform Docs
• Cloudformation Docs