Ensure that the IAM Policy does not grant full administrative rights
IAM policy should not grant administrative access to everyone as it violates the principle of least privilege.
Risk Level: High
Cloud Entity: AWS IAM Policy
CloudGuard Rule ID: D9.CFT.IAM.15
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
AWS_IAM_Policy should not have PolicyDocument.Statement contain-any [ Effect='Allow' and Action='*' and Resource='*' ]
REMEDIATION
From CFT
Set AWS::IAM::Policy Actions
and Resources
attributes to limited subset, e.g Actions: ['s3:Create*']
References
AWS IAM Policy
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago