Ensure that there is no wildcard action in an inline IAM user policy

IAM user policy should be setup in such a way that it follows the least privilege principle. Having wildcard in an action means that the IAM policy allows all actions on a resource.

Risk Level: High
Cloud Entity: IAM User
CloudGuard Rule ID: D9.CFT.IAM.26
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


AWS_IAM_User should not have Policies contain-any [ PolicyDocument.Statement contain-any [ Effect='Allow' and Action='*' ] ]


From CFT
Set AWS::IAM::User Policies.PolicyDocument.Statement.Action to a specific set of actions.


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CloudFormation ruleset