IAM policy has allowed full administrative privileges for all resources

ID

aws_iam_policy_privileges

Severity

critical

Vendor

AWS

Resource

IAM

Tags

reachable

Description

IAM policy has allowed full administrative privileges for all resources, therefore the policy doesn’t follow the IAM security best practices and should be deactivated (detached from any IAM user, group, or role). You have the configuration Effect=Allow, Action="*", Resource="*".

To fix it, you must configure the actions that allow access in the Action property and the resources in the Resources property and the values must be different to *.

Learn more about this topic at AWS IAM policy.

Examples

- name: Update an IAM Managed Policy with a non default version
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "*"
        Resource: "*"
    make_default: false
    state: present

Mitigation / Fix

- name: Update an IAM Managed Policy with a non default version
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "iam:ListUsers"
        Resource: "arn:aws:iam::*:*"
    make_default: false
    state: present