Ensure that an inline IAM group policy does not allow full administrative rights

IAM group policy should be setup in such a way that it follows the least privilege principle. Allowing full admin rights may result into critical security loopholes in the system.

Risk Level: High
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.CFT.IAM.34
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


AWS_IAM_Group should not have Policies contain-any [ PolicyDocument.Statement contain-any [ Effect = 'Allow' and Resource='*' and Action = '*'] ]


From CFT
Set AWS::IAM::Group Resource and Action elements in Policies.PolicyDocument.Statement to a specific resources and actions.


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

IAM Group

An IAM group is an entity that you create in AWS to represent a group of users. A group can have permissions associated with it.

Compliance Frameworks

  • AWS CloudFormation ruleset