Skip to content

IAM policy documents allow * (asterisk) as a statement's action

Description

IAM policies should grant a minimum set of permissions, adding more as required, rather than grant full administrative privileges. Providing full administrative privileges when not required exposes resources to potentially unwanted actions.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  4. Select the policy that needs to be deleted.
  5. In the policy action menu, select first Detach.
  6. Select all Users, Groups, Roles that have this policy attached.
  7. Click Detach Policy.
  8. In the policy action menu, select Detach.

CLI Command

  1. List all IAM users, groups, and roles that the specified managed policy is attached to:

aws iam list-entities-for-policy --policy-arn <policy_arn>

  1. Detach the policy from all IAM Users:

aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>

  1. Detach the policy from all IAM Groups:

aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

  1. Detach the policy from all IAM Roles:

aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>

Fix - Buildtime

Terraform

  • Resources: aws_iam_policy
  • Argument: policy - (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. 
resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
-        "*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}