Ensure that there is no wildcard action in an inline IAM group policy
IAM group policy should be setup in such a way that it follows the least privilege principle. Having wildcard in an action means that the IAM policy allows all actions on a resource.
Risk Level: High
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.CFT.IAM.24
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
AWS_IAM_Group should not have Policies contain-any [ PolicyDocument.Statement contain-any [ Effect='Allow' and Action='*' ] ]
REMEDIATION
From CFT
Set AWS::IAM::Group Policies.PolicyDocument.Statement.Action
to a restrictive set of actions.
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
IAM Group
An IAM group is an entity that you create in AWS to represent a group of users. A group can have permissions associated with it.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated about 1 year ago