Ensure that an inline IAM role policy does not allow full administrative rights

IAM role policy should be setup in such a way that it follows the least privilege principle. Allowing full admin rights may result into critical security loopholes in the system.

Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.CFT.IAM.36
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


AWS_IAM_Role should not have Policies contain-any [ PolicyDocument.Statement contain-any [  Effect = 'Allow' and Resource='*' and Action = '*' ] ]


From CFT
Set AWS::IAM::Role Resource and Action elements in Policies.PolicyDocument.Statement to a specific resources and actions.


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

  • AWS CloudFormation ruleset