Ensure that the IAM Policy does not grant full administrative rights

IAM policy should not grant administrative access to everyone as it violates the principle of least privilege.

Risk Level: High
Cloud Entity: AWS IAM Policy
CloudGuard Rule ID: D9.CFT.IAM.15
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


AWS_IAM_Policy should not have PolicyDocument.Statement contain-any [ Effect='Allow' and Action='*' and Resource='*' ]


From CFT
Set AWS::IAM::Policy Actions and Resources attributes to limited subset, e.g Actions: ['s3:Create*']


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html

AWS IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CloudFormation ruleset