Ensure that there is no wildcard action in a customer managed IAM policy

IAM policy should be setup in such a way that it follows the least privilege principle. Having wildcard in an action means that the IAM policy allows all actions on a resource.

Risk Level: High
Cloud Entity: AWS Managed Policy
CloudGuard Rule ID: D9.CFT.IAM.14
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


AWS_IAM_ManagedPolicy should not have PolicyDocument.Statement contain-any [ Effect='Allow' and Action='*' ]


From CFT
Set AWS::IAM::ManagedPolicy all Action properties in PolicyDocument.Statement array to a specific action as per the requirement


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

AWS Managed Policy

AWS managed policies are designed to provide permissions for many common use cases. Full access AWS managed policies such as AmazonDynamoDBFullAccess and IAMFullAccess define permissions for service administrators by granting full access to a service. Power-user AWS managed policies such as AWSCodeCommitPowerUser and AWSKeyManagementServicePowerUser are designed for power users. Partial-access AWS managed policies such as AmazonMobileAnalyticsWriteOnlyAccess and AmazonEC2ReadOnlyAccess provide specific levels of access to AWS services without allowing permissions management access level permissions. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

Compliance Frameworks

  • AWS CloudFormation ruleset