Ensure that there is no wildcard action in an IAM policy

IAM policy should be setup in such a way that it follows the least privilege principle. Having wildcard in an action means that the IAM policy allows all actions on a resource.

Risk Level: High
Cloud Entity: AWS IAM Policy
CloudGuard Rule ID: D9.CFT.IAM.13
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


AWS_IAM_Policy should not have PolicyDocument.Statement contain-any [ Effect='Allow' and Action='*' ]


From CFT
Set AWS::IAM::Policy all Action properties in PolicyDocument.Statement array to a specific action as per the requirement


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html

AWS IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CloudFormation ruleset